Azure Policy Regulatory Compliance controls for Azure Resource Manager

Article
01/05/2023
811 minutes to read

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Resource Manager. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Guidelines for System Hardening - Operating system hardening	380	Operating system configuration - 380	Deprecated accounts should be removed from your subscription	3.0.0
Guidelines for System Hardening - Operating system hardening	380	Operating system configuration - 380	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	414	User identification - 414	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Guidelines for Personnel Security - Access to systems and their resources	414	User identification - 414	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	414	User identification - 414	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	430	Suspension of access to systems - 430	Deprecated accounts should be removed from your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	430	Suspension of access to systems - 430	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	441	Temporary access to systems - 441	Deprecated accounts should be removed from your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	441	Temporary access to systems - 441	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	441	Temporary access to systems - 441	External accounts with owner permissions should be removed from your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	441	Temporary access to systems - 441	External accounts with write permissions should be removed from your subscription	3.0.0
Guidelines for Media - Media usage	947	Using media for data transfers - 947	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Guidelines for System Hardening - Authentication hardening	1173	Multi-factor authentication - 1173	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Guidelines for System Hardening - Authentication hardening	1173	Multi-factor authentication - 1173	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Guidelines for System Hardening - Authentication hardening	1384	Multi-factor authentication - 1384	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Guidelines for System Hardening - Authentication hardening	1384	Multi-factor authentication - 1384	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Guidelines for System Hardening - Authentication hardening	1384	Multi-factor authentication - 1384	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	1503	Standard access to systems - 1503	A maximum of 3 owners should be designated for your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	1503	Standard access to systems - 1503	There should be more than one owner assigned to your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	1508	Privileged access to systems - 1508	A maximum of 3 owners should be designated for your subscription	3.0.0
Guidelines for Personnel Security - Access to systems and their resources	1508	Privileged access to systems - 1508	There should be more than one owner assigned to your subscription	3.0.0
Guidelines for System Management - Data backup and restoration	1511	Performing backups - 1511	Audit virtual machines without disaster recovery configured	1.0.0

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Network Security	NS-10	Ensure Domain Name System (DNS) security	Azure Defender for DNS should be enabled	1.0.0
Identity Management	IM-6	Use strong authentication controls	Accounts with owner permissions on Azure resources should be MFA enabled	1.0.0
Identity Management	IM-6	Use strong authentication controls	Accounts with read permissions on Azure resources should be MFA enabled	1.0.0
Identity Management	IM-6	Use strong authentication controls	Accounts with write permissions on Azure resources should be MFA enabled	1.0.0
Identity Management	IM-6	Use strong authentication controls	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Identity Management	IM-6	Use strong authentication controls	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Identity Management	IM-6	Use strong authentication controls	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Privileged Access	PA-1	Separate and limit highly privileged/administrative users	A maximum of 3 owners should be designated for your subscription	3.0.0
Privileged Access	PA-1	Separate and limit highly privileged/administrative users	Blocked accounts with owner permissions on Azure resources should be removed	1.0.0
Privileged Access	PA-1	Separate and limit highly privileged/administrative users	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Privileged Access	PA-1	Separate and limit highly privileged/administrative users	External accounts with owner permissions should be removed from your subscription	3.0.0
Privileged Access	PA-1	Separate and limit highly privileged/administrative users	Guest accounts with owner permissions on Azure resources should be removed	1.0.0
Privileged Access	PA-1	Separate and limit highly privileged/administrative users	There should be more than one owner assigned to your subscription	3.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	Blocked accounts with owner permissions on Azure resources should be removed	1.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	Blocked accounts with read and write permissions on Azure resources should be removed	1.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	Deprecated accounts should be removed from your subscription	3.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	External accounts with owner permissions should be removed from your subscription	3.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	External accounts with read permissions should be removed from your subscription	3.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	External accounts with write permissions should be removed from your subscription	3.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	Guest accounts with owner permissions on Azure resources should be removed	1.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	Guest accounts with read permissions on Azure resources should be removed	1.0.0
Privileged Access	PA-4	Review and reconcile user access regularly	Guest accounts with write permissions on Azure resources should be removed	1.0.0
Data Protection	DP-2	Monitor anomalies and threats targeting sensitive data	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Data Protection	DP-2	Monitor anomalies and threats targeting sensitive data	Azure Defender for open-source relational databases should be enabled	1.0.0
Data Protection	DP-2	Monitor anomalies and threats targeting sensitive data	Azure Defender for SQL servers on machines should be enabled	1.0.2
Data Protection	DP-2	Monitor anomalies and threats targeting sensitive data	Azure Defender for Storage should be enabled	1.0.3
Data Protection	DP-8	Ensure security of key and certificate repository	Azure Defender for Key Vault should be enabled	1.0.3
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for App Service should be enabled	1.0.3
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for DNS should be enabled	1.0.0
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for Key Vault should be enabled	1.0.3
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for open-source relational databases should be enabled	1.0.0
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for Resource Manager should be enabled	1.0.0
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for servers should be enabled	1.0.3
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for SQL servers on machines should be enabled	1.0.2
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Azure Defender for Storage should be enabled	1.0.3
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Microsoft Defender CSPM should be enabled	1.0.0
Logging and Threat Detection	LT-1	Enable threat detection capabilities	Microsoft Defender for Containers should be enabled	1.0.0
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for App Service should be enabled	1.0.3
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for DNS should be enabled	1.0.0
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for Key Vault should be enabled	1.0.3
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for open-source relational databases should be enabled	1.0.0
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for Resource Manager should be enabled	1.0.0
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for servers should be enabled	1.0.3
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for SQL servers on machines should be enabled	1.0.2
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Azure Defender for Storage should be enabled	1.0.3
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Microsoft Defender CSPM should be enabled	1.0.0
Logging and Threat Detection	LT-2	Enable threat detection for identity and access management	Microsoft Defender for Containers should be enabled	1.0.0
Logging and Threat Detection	LT-5	Centralize security log management and analysis	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
Incident Response	IR-2	Preparation - setup incident notification	Email notification for high severity alerts should be enabled	1.0.1
Incident Response	IR-2	Preparation - setup incident notification	Email notification to subscription owner for high severity alerts should be enabled	2.0.0
Incident Response	IR-2	Preparation - setup incident notification	Subscriptions should have a contact email address for security issues	1.0.1
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for App Service should be enabled	1.0.3
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for DNS should be enabled	1.0.0
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for Key Vault should be enabled	1.0.3
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for open-source relational databases should be enabled	1.0.0
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for Resource Manager should be enabled	1.0.0
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for servers should be enabled	1.0.3
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for SQL servers on machines should be enabled	1.0.2
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Azure Defender for Storage should be enabled	1.0.3
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Microsoft Defender CSPM should be enabled	1.0.0
Incident Response	IR-3	Detection and analysis - create incidents based on high-quality alerts	Microsoft Defender for Containers should be enabled	1.0.0
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for App Service should be enabled	1.0.3
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for DNS should be enabled	1.0.0
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for Key Vault should be enabled	1.0.3
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for open-source relational databases should be enabled	1.0.0
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for Resource Manager should be enabled	1.0.0
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for servers should be enabled	1.0.3
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for SQL servers on machines should be enabled	1.0.2
Incident Response	IR-5	Detection and analysis - prioritize incidents	Azure Defender for Storage should be enabled	1.0.3
Incident Response	IR-5	Detection and analysis - prioritize incidents	Microsoft Defender CSPM should be enabled	1.0.0
Incident Response	IR-5	Detection and analysis - prioritize incidents	Microsoft Defender for Containers should be enabled	1.0.0
Endpoint Security	ES-1	Use Endpoint Detection and Response (EDR)	Azure Defender for servers should be enabled	1.0.3

Azure Security Benchmark v1

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Incident Response	10.4	Provide security incident contact details and configure alert notifications for security incidents	Subscriptions should have a contact email address for security issues	1.0.1
Logging and Monitoring	2.2	Configure central security log management	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
Logging and Monitoring	2.2	Configure central security log management	Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'	1.0.0
Logging and Monitoring	2.2	Configure central security log management	Azure Monitor should collect activity logs from all regions	2.0.0
Logging and Monitoring	2.4	Collect security logs from operating systems	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
Identity and Access Control	3.1	Maintain an inventory of administrative accounts	A maximum of 3 owners should be designated for your subscription	3.0.0
Identity and Access Control	3.1	Maintain an inventory of administrative accounts	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Identity and Access Control	3.1	Maintain an inventory of administrative accounts	External accounts with owner permissions should be removed from your subscription	3.0.0
Identity and Access Control	3.1	Maintain an inventory of administrative accounts	There should be more than one owner assigned to your subscription	3.0.0
Identity and Access Control	3.10	Regularly review and reconcile user access	Deprecated accounts should be removed from your subscription	3.0.0
Identity and Access Control	3.10	Regularly review and reconcile user access	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Identity and Access Control	3.10	Regularly review and reconcile user access	External accounts with owner permissions should be removed from your subscription	3.0.0
Identity and Access Control	3.10	Regularly review and reconcile user access	External accounts with read permissions should be removed from your subscription	3.0.0
Identity and Access Control	3.10	Regularly review and reconcile user access	External accounts with write permissions should be removed from your subscription	3.0.0
Identity and Access Control	3.3	Use dedicated administrative accounts	A maximum of 3 owners should be designated for your subscription	3.0.0
Identity and Access Control	3.3	Use dedicated administrative accounts	There should be more than one owner assigned to your subscription	3.0.0
Identity and Access Control	3.5	Use multi-factor authentication for all Azure Active Directory based access	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Identity and Access Control	3.5	Use multi-factor authentication for all Azure Active Directory based access	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Identity and Access Control	3.5	Use multi-factor authentication for all Azure Active Directory based access	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Data Protection	4.9	Log and alert on changes to critical Azure resources	Azure Monitor should collect activity logs from all regions	2.0.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC-2	Account Management	Deprecated accounts should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	External accounts with owner permissions should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	External accounts with read permissions should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	External accounts with write permissions should be removed from your subscription	3.0.0
Access Control	AC-5	Separation of Duties	A maximum of 3 owners should be designated for your subscription	3.0.0
Access Control	AC-5	Separation of Duties	There should be more than one owner assigned to your subscription	3.0.0
Access Control	AC-6	Least Privilege	A maximum of 3 owners should be designated for your subscription	3.0.0
Access Control	AC-6	Least Privilege	There should be more than one owner assigned to your subscription	3.0.0
Contingency Planning	CP-7	Alternative Processing Site	Audit virtual machines without disaster recovery configured	1.0.0
Identification and Authentication	IA-2(1)	Identification and Authentication (Organizational Users) \| Network Access to Privileged Accounts	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Identification and Authentication	IA-2(1)	Identification and Authentication (Organizational Users) \| Network Access to Privileged Accounts	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.1	Ensure that multi-factor authentication is enabled for all privileged users	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.1	Ensure that multi-factor authentication is enabled for all privileged users	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.1	Ensure that multi-factor authentication is enabled for all privileged users	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.10	Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.10	Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.10	Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.11	Ensure that 'Users can register applications' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.11	Ensure that 'Users can register applications' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.11	Ensure that 'Users can register applications' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Design an access control model	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Employ least privilege access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Enforce logical access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Require approval for account creation	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Review user groups and applications with access to sensitive data	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Design an access control model	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Employ least privilege access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Enforce logical access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Require approval for account creation	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Review user groups and applications with access to sensitive data	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Design an access control model	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Employ least privilege access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Enforce logical access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Require approval for account creation	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Review user groups and applications with access to sensitive data	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Enforce logical access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Require approval for account creation	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Review user groups and applications with access to sensitive data	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.16	Ensure that 'Self-service group management enabled' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.16	Ensure that 'Self-service group management enabled' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.16	Ensure that 'Self-service group management enabled' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.16	Ensure that 'Self-service group management enabled' is set to 'No'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.17	Ensure that 'Users can create security groups' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.17	Ensure that 'Users can create security groups' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.17	Ensure that 'Users can create security groups' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.17	Ensure that 'Users can create security groups' is set to 'No'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.18	Ensure that 'Users who can manage security groups' is set to 'None'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.18	Ensure that 'Users who can manage security groups' is set to 'None'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.18	Ensure that 'Users who can manage security groups' is set to 'None'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.18	Ensure that 'Users who can manage security groups' is set to 'None'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.19	Ensure that 'Users can create Office 365 groups' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.19	Ensure that 'Users can create Office 365 groups' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.19	Ensure that 'Users can create Office 365 groups' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.19	Ensure that 'Users can create Office 365 groups' is set to 'No'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.2	Ensure that multi-factor authentication is enabled for all non-privileged users	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.2	Ensure that multi-factor authentication is enabled for all non-privileged users	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Users who can manage Office 365 groups' is set to 'None'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Users who can manage Office 365 groups' is set to 'None'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Users who can manage Office 365 groups' is set to 'None'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Users who can manage Office 365 groups' is set to 'None'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Authorize remote access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Document mobility training	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Document remote access guidelines	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Identify and authenticate network devices	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Implement controls to secure alternate work sites	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Provide privacy training	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Satisfy token quality requirements	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure that no custom subscription owner roles are created	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure that no custom subscription owner roles are created	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure that no custom subscription owner roles are created	Design an access control model	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure that no custom subscription owner roles are created	Employ least privilege access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure that no custom subscription owner roles are created	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure that no custom subscription owner roles are created	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure that there are no guest users	Audit user account status	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure that there are no guest users	External accounts with owner permissions should be removed from your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure that there are no guest users	External accounts with read permissions should be removed from your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure that there are no guest users	External accounts with write permissions should be removed from your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure that there are no guest users	Reassign or remove user privileges as needed	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure that there are no guest users	Review account provisioning logs	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure that there are no guest users	Review user accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure that there are no guest users	Review user privileges	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.4	Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.4	Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'	Identify and authenticate network devices	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.4	Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'	Satisfy token quality requirements	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.6	Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'	Automate account management	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.6	Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'	Manage system and admin accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.6	Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'	Monitor access across the organization	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.6	Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'	Notify when account is not needed	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Automate account management	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Implement training for protecting authenticators	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Manage system and admin accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Monitor access across the organization	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Notify when account is not needed	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Audit privileged functions	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Automate account management	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Implement training for protecting authenticators	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Manage system and admin accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Monitor access across the organization	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Monitor privileged role assignment	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Notify when account is not needed	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Restrict access to privileged accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Revoke privileged roles as appropriate	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Use privileged identity management	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.9	Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.9	Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.9	Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Azure Defender for App Service should be enabled	1.0.3
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Azure Defender for Key Vault should be enabled	1.0.3
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Azure Defender for servers should be enabled	1.0.3
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Azure Defender for SQL servers on machines should be enabled	1.0.2
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Azure Defender for Storage should be enabled	1.0.3
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Microsoft Defender for Containers should be enabled	1.0.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that standard pricing tier is selected	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.11	Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled"	Establish a data leakage management procedure	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.11	Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled"	Implement controls to secure all media	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.11	Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled"	Protect data in transit using encryption	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.11	Ensure ASC Default policy setting "Monitor Storage Blob Encryption" is not "Disabled"	Protect special information	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.12	Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled"	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.14	Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled"	Audit privileged functions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.14	Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled"	Audit user account status	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.14	Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled"	Determine auditable events	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.14	Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled"	Review audit data	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.15	Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled"	Establish a data leakage management procedure	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.15	Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled"	Implement controls to secure all media	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.15	Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled"	Protect data in transit using encryption	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.15	Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled"	Protect special information	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.16	Ensure that 'Security contact emails' is set	Subscriptions should have a contact email address for security issues	1.0.1
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.18	Ensure that 'Send email notification for high severity alerts' is set to 'On'	Email notification for high severity alerts should be enabled	1.0.1
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.19	Ensure that 'Send email also to subscription owners' is set to 'On'	Email notification to subscription owner for high severity alerts should be enabled	2.0.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'	Document security operations	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'	Turn on sensors for endpoint security solution	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled"	Remediate information system flaws	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled"	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled"	Remediate information system flaws	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled"	Establish a data leakage management procedure	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled"	Implement controls to secure all media	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled"	Protect data in transit using encryption	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled"	Protect special information	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled"	Control information flow	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled"	Employ flow control mechanisms of encrypted information	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled"	Control information flow	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled"	Employ flow control mechanisms of encrypted information	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled"	Control information flow	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled"	Employ flow control mechanisms of encrypted information	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.1	Ensure that 'Secure transfer required' is set to 'Enabled'	Configure workstations to check for digital certificates	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.1	Ensure that 'Secure transfer required' is set to 'Enabled'	Protect data in transit using encryption	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.1	Ensure that 'Secure transfer required' is set to 'Enabled'	Protect passwords with encryption	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Define a physical key management process	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Define cryptographic use	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Define organizational requirements for cryptographic key management	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Determine assertion requirements	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Issue public key certificates	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Manage symmetric cryptographic keys	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Restrict access to private keys	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Audit privileged functions	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Audit user account status	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Configure Azure Audit capabilities	1.1.1
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Determine auditable events	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Review audit data	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.4	Ensure that shared access signature tokens expire within an hour	Disable authenticators upon termination	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.4	Ensure that shared access signature tokens expire within an hour	Revoke privileged roles as appropriate	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.4	Ensure that shared access signature tokens expire within an hour	Terminate user session automatically	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that shared access signature tokens are allowed only over https	Configure workstations to check for digital certificates	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that shared access signature tokens are allowed only over https	Protect data in transit using encryption	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that shared access signature tokens are allowed only over https	Protect passwords with encryption	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.6	Ensure that 'Public access level' is set to Private for blob containers	Authorize access to security functions and information	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.6	Ensure that 'Public access level' is set to Private for blob containers	Authorize and manage access	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.6	Ensure that 'Public access level' is set to Private for blob containers	Enforce logical access	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.6	Ensure that 'Public access level' is set to Private for blob containers	Enforce mandatory and discretionary access control policies	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.6	Ensure that 'Public access level' is set to Private for blob containers	Require approval for account creation	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.6	Ensure that 'Public access level' is set to Private for blob containers	Review user groups and applications with access to sensitive data	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.8	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Control information flow	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.8	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Employ flow control mechanisms of encrypted information	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.8	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Establish firewall and router configuration standards	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.8	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Establish network segmentation for card holder data environment	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.8	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Identify and manage downstream information exchanges	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1	Ensure that 'Auditing' is set to 'On'	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1	Ensure that 'Auditing' is set to 'On'	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1	Ensure that 'Auditing' is set to 'On'	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1	Ensure that 'Auditing' is set to 'On'	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.10	Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key)	Establish a data leakage management procedure	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.10	Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key)	Implement controls to secure all media	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.10	Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key)	Protect data in transit using encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.10	Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key)	Protect special information	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.11	Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server	Configure workstations to check for digital certificates	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.11	Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server	Protect data in transit using encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.11	Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server	Protect passwords with encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.12	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.12	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.12	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.12	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.13	Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server	Configure workstations to check for digital certificates	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.13	Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server	Protect data in transit using encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.13	Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server	Protect passwords with encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.14	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.14	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.14	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.14	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.15	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.15	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.15	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.15	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.16	Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.16	Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.16	Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.16	Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.17	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.17	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.17	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.17	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.18	Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server	Adhere to retention periods defined	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.18	Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server	Govern and monitor audit processing activities	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.18	Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server	Retain security policies and procedures	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.18	Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server	Retain terminated user data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.19	Ensure that Azure Active Directory Admin is configured	Automate account management	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.19	Ensure that Azure Active Directory Admin is configured	Manage system and admin accounts	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.19	Ensure that Azure Active Directory Admin is configured	Monitor access across the organization	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.19	Ensure that Azure Active Directory Admin is configured	Notify when account is not needed	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2	Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2	Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2	Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2	Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3	Ensure that 'Auditing' Retention is 'greater than 90 days'	Adhere to retention periods defined	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3	Ensure that 'Auditing' Retention is 'greater than 90 days'	Govern and monitor audit processing activities	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3	Ensure that 'Auditing' Retention is 'greater than 90 days'	Retain security policies and procedures	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3	Ensure that 'Auditing' Retention is 'greater than 90 days'	Retain terminated user data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.4	Ensure that 'Advanced Data Security' on a SQL server is set to 'On'	Perform a trend analysis on threats	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.5	Ensure that 'Threat Detection types' is set to 'All'	Perform a trend analysis on threats	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.6	Ensure that 'Send alerts to' is set	Alert personnel of information spillage	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.6	Ensure that 'Send alerts to' is set	Develop an incident response plan	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.6	Ensure that 'Send alerts to' is set	Set automated notifications for new and trending cloud applications in your organization	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.7	Ensure that 'Email service and co-administrators' is 'Enabled'	Alert personnel of information spillage	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.7	Ensure that 'Email service and co-administrators' is 'Enabled'	Develop an incident response plan	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.7	Ensure that 'Email service and co-administrators' is 'Enabled'	Set automated notifications for new and trending cloud applications in your organization	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.8	Ensure that Azure Active Directory Admin is configured	Automate account management	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.8	Ensure that Azure Active Directory Admin is configured	Manage system and admin accounts	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.8	Ensure that Azure Active Directory Admin is configured	Monitor access across the organization	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.8	Ensure that Azure Active Directory Admin is configured	Notify when account is not needed	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.9	Ensure that 'Data encryption' is set to 'On' on a SQL Database	Establish a data leakage management procedure	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.9	Ensure that 'Data encryption' is set to 'On' on a SQL Database	Implement controls to secure all media	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.9	Ensure that 'Data encryption' is set to 'On' on a SQL Database	Protect data in transit using encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.9	Ensure that 'Data encryption' is set to 'On' on a SQL Database	Protect special information	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1	Ensure that a Log Profile exists	Adhere to retention periods defined	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1	Ensure that a Log Profile exists	Azure subscriptions should have a log profile for Activity Log	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1	Ensure that a Log Profile exists	Govern and monitor audit processing activities	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1	Ensure that a Log Profile exists	Retain security policies and procedures	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1	Ensure that a Log Profile exists	Retain terminated user data	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure that Activity Log Retention is set 365 days or greater	Activity log should be retained for at least one year	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure that Activity Log Retention is set 365 days or greater	Adhere to retention periods defined	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure that Activity Log Retention is set 365 days or greater	Retain security policies and procedures	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure that Activity Log Retention is set 365 days or greater	Retain terminated user data	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3	Ensure audit profile captures all the activities	Adhere to retention periods defined	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3	Ensure audit profile captures all the activities	Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3	Ensure audit profile captures all the activities	Govern and monitor audit processing activities	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3	Ensure audit profile captures all the activities	Retain security policies and procedures	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3	Ensure audit profile captures all the activities	Retain terminated user data	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4	Ensure the log profile captures activity logs for all regions including global	Adhere to retention periods defined	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4	Ensure the log profile captures activity logs for all regions including global	Azure Monitor should collect activity logs from all regions	2.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4	Ensure the log profile captures activity logs for all regions including global	Govern and monitor audit processing activities	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4	Ensure the log profile captures activity logs for all regions including global	Retain security policies and procedures	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4	Ensure the log profile captures activity logs for all regions including global	Retain terminated user data	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5	Ensure the storage container storing the activity logs is not publicly accessible	Enable dual or joint authorization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5	Ensure the storage container storing the activity logs is not publicly accessible	Protect audit information	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6	Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)	Enable dual or joint authorization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6	Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)	Maintain integrity of audit system	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6	Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)	Protect audit information	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7	Ensure that logging for Azure KeyVault is 'Enabled'	Audit privileged functions	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7	Ensure that logging for Azure KeyVault is 'Enabled'	Audit user account status	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7	Ensure that logging for Azure KeyVault is 'Enabled'	Determine auditable events	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7	Ensure that logging for Azure KeyVault is 'Enabled'	Review audit data	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1	Ensure that Activity Log Alert exists for Create Policy Assignment	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1	Ensure that Activity Log Alert exists for Create Policy Assignment	An activity log alert should exist for specific Policy operations	3.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1	Ensure that Activity Log Alert exists for Create Policy Assignment	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1	Ensure that Activity Log Alert exists for Create Policy Assignment	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2	Ensure that Activity Log Alert exists for Create or Update Network Security Group	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2	Ensure that Activity Log Alert exists for Create or Update Network Security Group	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2	Ensure that Activity Log Alert exists for Create or Update Network Security Group	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2	Ensure that Activity Log Alert exists for Create or Update Network Security Group	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3	Ensure that Activity Log Alert exists for Delete Network Security Group	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3	Ensure that Activity Log Alert exists for Delete Network Security Group	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3	Ensure that Activity Log Alert exists for Delete Network Security Group	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3	Ensure that Activity Log Alert exists for Delete Network Security Group	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4	Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4	Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4	Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4	Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5	Ensure that activity log alert exists for the Delete Network Security Group Rule	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5	Ensure that activity log alert exists for the Delete Network Security Group Rule	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5	Ensure that activity log alert exists for the Delete Network Security Group Rule	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5	Ensure that activity log alert exists for the Delete Network Security Group Rule	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6	Ensure that Activity Log Alert exists for Create or Update Security Solution	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6	Ensure that Activity Log Alert exists for Create or Update Security Solution	An activity log alert should exist for specific Security operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6	Ensure that Activity Log Alert exists for Create or Update Security Solution	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6	Ensure that Activity Log Alert exists for Create or Update Security Solution	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7	Ensure that Activity Log Alert exists for Delete Security Solution	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7	Ensure that Activity Log Alert exists for Delete Security Solution	An activity log alert should exist for specific Security operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7	Ensure that Activity Log Alert exists for Delete Security Solution	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7	Ensure that Activity Log Alert exists for Delete Security Solution	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Update Security Policy	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Update Security Policy	An activity log alert should exist for specific Security operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Update Security Policy	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Update Security Policy	Set automated notifications for new and trending cloud applications in your organization	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.3	Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)	Control information flow	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.3	Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)	Employ flow control mechanisms of encrypted information	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.4	Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'	Adhere to retention periods defined	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.4	Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'	Retain security policies and procedures	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.4	Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'	Retain terminated user data	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.5	Ensure that Network Watcher is 'Enabled'	Verify security functions	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.1	Ensure that 'OS disk' are encrypted	Establish a data leakage management procedure	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.1	Ensure that 'OS disk' are encrypted	Implement controls to secure all media	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.1	Ensure that 'OS disk' are encrypted	Protect data in transit using encryption	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.1	Ensure that 'OS disk' are encrypted	Protect special information	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.2	Ensure that 'Data disks' are encrypted	Establish a data leakage management procedure	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.2	Ensure that 'Data disks' are encrypted	Implement controls to secure all media	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.2	Ensure that 'Data disks' are encrypted	Protect data in transit using encryption	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.2	Ensure that 'Data disks' are encrypted	Protect special information	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.3	Ensure that 'Unattached disks' are encrypted	Establish a data leakage management procedure	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.3	Ensure that 'Unattached disks' are encrypted	Implement controls to secure all media	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.3	Ensure that 'Unattached disks' are encrypted	Protect data in transit using encryption	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.3	Ensure that 'Unattached disks' are encrypted	Protect special information	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.5	Ensure that the latest OS Patches for all Virtual Machines are applied	Remediate information system flaws	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Block untrusted and unsigned processes that run from USB	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Document security operations	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Manage gateways	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Perform a trend analysis on threats	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Perform vulnerability scans	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Review malware detections report weekly	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Review threat protection status weekly	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Turn on sensors for endpoint security solution	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Update antivirus definitions	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Verify software, firmware and information integrity	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Define a physical key management process	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Define cryptographic use	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Define organizational requirements for cryptographic key management	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Determine assertion requirements	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Issue public key certificates	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Manage symmetric cryptographic keys	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Restrict access to private keys	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Define a physical key management process	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Define cryptographic use	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Define organizational requirements for cryptographic key management	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Determine assertion requirements	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Issue public key certificates	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Manage symmetric cryptographic keys	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Restrict access to private keys	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.3	Ensure that Resource Locks are set for mission critical Azure resources	Establish and document change control processes	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.4	Ensure the key vault is recoverable	Maintain availability of information	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Authorize access to security functions and information	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Authorize and manage access	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Enforce logical access	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Enforce mandatory and discretionary access control policies	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Require approval for account creation	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Review user groups and applications with access to sensitive data	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.1	Ensure App Service Authentication is set on Azure App Service	Authenticate to cryptographic module	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.1	Ensure App Service Authentication is set on Azure App Service	Enforce user uniqueness	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.1	Ensure App Service Authentication is set on Azure App Service	Support personal verification credentials issued by legal authorities	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.10	Ensure that 'HTTP Version' is the latest, if used to run the web app	Remediate information system flaws	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.2	Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	Configure workstations to check for digital certificates	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.2	Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	Protect data in transit using encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.2	Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	Protect passwords with encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.3	Ensure web app is using the latest version of TLS encryption	Configure workstations to check for digital certificates	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.3	Ensure web app is using the latest version of TLS encryption	Protect data in transit using encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.3	Ensure web app is using the latest version of TLS encryption	Protect passwords with encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.4	Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'	Authenticate to cryptographic module	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.5	Ensure that Register with Azure Active Directory is enabled on App Service	Automate account management	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.5	Ensure that Register with Azure Active Directory is enabled on App Service	Manage system and admin accounts	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.5	Ensure that Register with Azure Active Directory is enabled on App Service	Monitor access across the organization	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.5	Ensure that Register with Azure Active Directory is enabled on App Service	Notify when account is not needed	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.6	Ensure that '.Net Framework' version is the latest, if used as a part of the web app	Remediate information system flaws	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.7	Ensure that 'PHP version' is the latest, if used to run the web app	Remediate information system flaws	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.8	Ensure that 'Python version' is the latest, if used to run the web app	Remediate information system flaws	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.9	Ensure that 'Java version' is the latest, if used to run the web app	Remediate information system flaws	1.1.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.1	Ensure that multi-factor authentication is enabled for all privileged users	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.1	Ensure that multi-factor authentication is enabled for all privileged users	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.1	Ensure that multi-factor authentication is enabled for all privileged users	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.10	Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.10	Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.10	Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.11	Ensure that 'Users can register applications' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.11	Ensure that 'Users can register applications' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.11	Ensure that 'Users can register applications' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Design an access control model	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Employ least privilege access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Enforce logical access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Require approval for account creation	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.12	Ensure that 'Guest user permissions are limited' is set to 'Yes'	Review user groups and applications with access to sensitive data	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Design an access control model	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Employ least privilege access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Enforce logical access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Require approval for account creation	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.13	Ensure that 'Members can invite' is set to 'No'	Review user groups and applications with access to sensitive data	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Design an access control model	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Employ least privilege access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Enforce logical access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Require approval for account creation	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.14	Ensure that 'Guests can invite' is set to 'No'	Review user groups and applications with access to sensitive data	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Enforce logical access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Require approval for account creation	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.15	Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'	Review user groups and applications with access to sensitive data	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.16	Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.16	Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.16	Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.16	Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.17	Ensure that 'Users can create security groups in Azure Portals' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.17	Ensure that 'Users can create security groups in Azure Portals' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.17	Ensure that 'Users can create security groups in Azure Portals' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.17	Ensure that 'Users can create security groups in Azure Portals' is set to 'No'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.18	Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.18	Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.18	Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.18	Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.19	Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.19	Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.19	Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.19	Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.2	Ensure that multi-factor authentication is enabled for all non-privileged users	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.2	Ensure that multi-factor authentication is enabled for all non-privileged users	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Authorize remote access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Document mobility training	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Document remote access guidelines	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Identify and authenticate network devices	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Implement controls to secure alternate work sites	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Provide privacy training	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.20	Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'	Satisfy token quality requirements	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.21	Ensure that no custom subscription owner roles are created	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.21	Ensure that no custom subscription owner roles are created	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.21	Ensure that no custom subscription owner roles are created	Design an access control model	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.21	Ensure that no custom subscription owner roles are created	Employ least privilege access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.21	Ensure that no custom subscription owner roles are created	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.21	Ensure that no custom subscription owner roles are created	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Authenticate to cryptographic module	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Authorize remote access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Document mobility training	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Document remote access guidelines	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Identify and authenticate network devices	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Implement controls to secure alternate work sites	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Provide privacy training	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.22	Ensure Security Defaults is enabled on Azure Active Directory	Satisfy token quality requirements	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure Custom Role is assigned for Administering Resource Locks	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure Custom Role is assigned for Administering Resource Locks	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure Custom Role is assigned for Administering Resource Locks	Enforce mandatory and discretionary access control policies	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.23	Ensure Custom Role is assigned for Administering Resource Locks	Establish and document change control processes	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure guest users are reviewed on a monthly basis	Audit user account status	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure guest users are reviewed on a monthly basis	External accounts with owner permissions should be removed from your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure guest users are reviewed on a monthly basis	External accounts with read permissions should be removed from your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure guest users are reviewed on a monthly basis	External accounts with write permissions should be removed from your subscription	3.0.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure guest users are reviewed on a monthly basis	Reassign or remove user privileges as needed	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure guest users are reviewed on a monthly basis	Review account provisioning logs	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure guest users are reviewed on a monthly basis	Review user accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.3	Ensure guest users are reviewed on a monthly basis	Review user privileges	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.4	Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'	Adopt biometric authentication mechanisms	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.4	Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'	Identify and authenticate network devices	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.4	Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'	Satisfy token quality requirements	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.6	Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0"	Automate account management	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.6	Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0"	Manage system and admin accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.6	Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0"	Monitor access across the organization	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.6	Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to "0"	Notify when account is not needed	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Automate account management	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Implement training for protecting authenticators	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Manage system and admin accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Monitor access across the organization	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.7	Ensure that 'Notify users on password resets?' is set to 'Yes'	Notify when account is not needed	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Audit privileged functions	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Automate account management	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Implement training for protecting authenticators	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Manage system and admin accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Monitor access across the organization	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Monitor privileged role assignment	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Notify when account is not needed	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Restrict access to privileged accounts	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Revoke privileged roles as appropriate	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.8	Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'	Use privileged identity management	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.9	Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'	Authorize access to security functions and information	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.9	Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'	Authorize and manage access	1.1.0
1 Identity and Access Management	CIS Microsoft Azure Foundations Benchmark recommendation 1.9	Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'	Enforce mandatory and discretionary access control policies	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Azure Defender for servers should be enabled	1.0.3
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.1	Ensure that Azure Defender is set to On for Servers	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.10	Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.10	Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.10	Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.10	Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.10	Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.10	Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.10	Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.10	Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.11	Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.11	Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'	Document security operations	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.11	Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'	Turn on sensors for endpoint security solution	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.12	Ensure any of the ASC Default policy setting is not set to "Disabled"	Configure actions for noncompliant devices	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.12	Ensure any of the ASC Default policy setting is not set to "Disabled"	Develop and maintain baseline configurations	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.12	Ensure any of the ASC Default policy setting is not set to "Disabled"	Enforce security configuration settings	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.12	Ensure any of the ASC Default policy setting is not set to "Disabled"	Establish a configuration control board	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.12	Ensure any of the ASC Default policy setting is not set to "Disabled"	Establish and document a configuration management plan	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.12	Ensure any of the ASC Default policy setting is not set to "Disabled"	Implement an automated configuration management tool	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.13	Ensure 'Additional email addresses' is configured with a security contact email	Subscriptions should have a contact email address for security issues	1.0.1
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.14	Ensure that 'Notify about alerts with the following severity' is set to 'High'	Email notification for high severity alerts should be enabled	1.0.1
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Azure Defender for App Service should be enabled	1.0.3
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.2	Ensure that Azure Defender is set to On for App Service	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.3	Ensure that Azure Defender is set to On for Azure SQL database servers	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Azure Defender for SQL servers on machines should be enabled	1.0.2
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.4	Ensure that Azure Defender is set to On for SQL servers on machines	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Azure Defender for Storage should be enabled	1.0.3
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.5	Ensure that Azure Defender is set to On for Storage	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Microsoft Defender for Containers should be enabled	1.0.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.6	Ensure that Azure Defender is set to On for Kubernetes	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Microsoft Defender for Containers should be enabled	1.0.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.7	Ensure that Azure Defender is set to On for Container Registries	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Azure Defender for Key Vault should be enabled	1.0.3
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.8	Ensure that Azure Defender is set to On for Key Vault	Update antivirus definitions	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected	Block untrusted and unsigned processes that run from USB	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected	Detect network services that have not been authorized or approved	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected	Manage gateways	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected	Perform a trend analysis on threats	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected	Perform vulnerability scans	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected	Review malware detections report weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected	Review threat protection status weekly	1.1.0
2 Security Center	CIS Microsoft Azure Foundations Benchmark recommendation 2.9	Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected	Update antivirus definitions	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.1	Ensure that 'Secure transfer required' is set to 'Enabled'	Configure workstations to check for digital certificates	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.1	Ensure that 'Secure transfer required' is set to 'Enabled'	Protect data in transit using encryption	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.1	Ensure that 'Secure transfer required' is set to 'Enabled'	Protect passwords with encryption	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.10	Ensure Storage logging is enabled for Blob service for read, write, and delete requests	Audit privileged functions	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.10	Ensure Storage logging is enabled for Blob service for read, write, and delete requests	Audit user account status	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.10	Ensure Storage logging is enabled for Blob service for read, write, and delete requests	Configure Azure Audit capabilities	1.1.1
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.10	Ensure Storage logging is enabled for Blob service for read, write, and delete requests	Determine auditable events	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.10	Ensure Storage logging is enabled for Blob service for read, write, and delete requests	Review audit data	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.11	Ensure Storage logging is enabled for Table service for read, write, and delete requests	Audit privileged functions	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.11	Ensure Storage logging is enabled for Table service for read, write, and delete requests	Audit user account status	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.11	Ensure Storage logging is enabled for Table service for read, write, and delete requests	Configure Azure Audit capabilities	1.1.1
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.11	Ensure Storage logging is enabled for Table service for read, write, and delete requests	Determine auditable events	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.11	Ensure Storage logging is enabled for Table service for read, write, and delete requests	Review audit data	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Define a physical key management process	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Define cryptographic use	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Define organizational requirements for cryptographic key management	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Determine assertion requirements	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Issue public key certificates	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Manage symmetric cryptographic keys	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.2	Ensure that storage account access keys are periodically regenerated	Restrict access to private keys	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Audit privileged functions	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Audit user account status	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Configure Azure Audit capabilities	1.1.1
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Determine auditable events	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.3	Ensure Storage logging is enabled for Queue service for read, write, and delete requests	Review audit data	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.4	Ensure that shared access signature tokens expire within an hour	Disable authenticators upon termination	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.4	Ensure that shared access signature tokens expire within an hour	Revoke privileged roles as appropriate	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.4	Ensure that shared access signature tokens expire within an hour	Terminate user session automatically	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that 'Public access level' is set to Private for blob containers	Authorize access to security functions and information	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that 'Public access level' is set to Private for blob containers	Authorize and manage access	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that 'Public access level' is set to Private for blob containers	Enforce logical access	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that 'Public access level' is set to Private for blob containers	Enforce mandatory and discretionary access control policies	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that 'Public access level' is set to Private for blob containers	Require approval for account creation	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.5	Ensure that 'Public access level' is set to Private for blob containers	Review user groups and applications with access to sensitive data	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.7	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Control information flow	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.7	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Employ flow control mechanisms of encrypted information	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.7	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Establish firewall and router configuration standards	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.7	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Establish network segmentation for card holder data environment	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.7	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	Identify and manage downstream information exchanges	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.9	Ensure storage for critical data are encrypted with Customer Managed Key	Establish a data leakage management procedure	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.9	Ensure storage for critical data are encrypted with Customer Managed Key	Implement controls to secure all media	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.9	Ensure storage for critical data are encrypted with Customer Managed Key	Protect data in transit using encryption	1.1.0
3 Storage Accounts	CIS Microsoft Azure Foundations Benchmark recommendation 3.9	Ensure storage for critical data are encrypted with Customer Managed Key	Protect special information	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1	Ensure that 'Auditing' is set to 'On'	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1	Ensure that 'Auditing' is set to 'On'	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1	Ensure that 'Auditing' is set to 'On'	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.1	Ensure that 'Auditing' is set to 'On'	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2	Ensure that 'Data encryption' is set to 'On' on a SQL Database	Establish a data leakage management procedure	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2	Ensure that 'Data encryption' is set to 'On' on a SQL Database	Implement controls to secure all media	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2	Ensure that 'Data encryption' is set to 'On' on a SQL Database	Protect data in transit using encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2	Ensure that 'Data encryption' is set to 'On' on a SQL Database	Protect special information	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3	Ensure that 'Auditing' Retention is 'greater than 90 days'	Adhere to retention periods defined	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3	Ensure that 'Auditing' Retention is 'greater than 90 days'	Govern and monitor audit processing activities	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3	Ensure that 'Auditing' Retention is 'greater than 90 days'	Retain security policies and procedures	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.1.3	Ensure that 'Auditing' Retention is 'greater than 90 days'	Retain terminated user data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.1	Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'	Perform a trend analysis on threats	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2	Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account	Perform vulnerability scans	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.2	Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account	Remediate information system flaws	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3	Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server	Perform vulnerability scans	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.3	Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server	Remediate information system flaws	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4	Ensure that VA setting Send scan reports to is configured for a SQL server	Correlate Vulnerability scan information	1.1.1
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4	Ensure that VA setting Send scan reports to is configured for a SQL server	Perform vulnerability scans	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.4	Ensure that VA setting Send scan reports to is configured for a SQL server	Remediate information system flaws	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5	Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server	Correlate Vulnerability scan information	1.1.1
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5	Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server	Perform vulnerability scans	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.2.5	Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server	Remediate information system flaws	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1	Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server	Configure workstations to check for digital certificates	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1	Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server	Protect data in transit using encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1	Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server	Protect passwords with encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2	Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server	Configure workstations to check for digital certificates	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2	Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server	Protect data in transit using encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2	Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server	Protect passwords with encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.3	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.4	Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.5	Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	Audit privileged functions	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	Audit user account status	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	Determine auditable events	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.6	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	Review audit data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7	Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server	Adhere to retention periods defined	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7	Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server	Govern and monitor audit processing activities	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7	Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server	Retain security policies and procedures	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7	Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server	Retain terminated user data	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8	Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled	Control information flow	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8	Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled	Employ flow control mechanisms of encrypted information	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8	Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled	Establish firewall and router configuration standards	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8	Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled	Establish network segmentation for card holder data environment	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8	Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled	Identify and manage downstream information exchanges	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.4	Ensure that Azure Active Directory Admin is configured	Automate account management	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.4	Ensure that Azure Active Directory Admin is configured	Manage system and admin accounts	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.4	Ensure that Azure Active Directory Admin is configured	Monitor access across the organization	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.4	Ensure that Azure Active Directory Admin is configured	Notify when account is not needed	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.5	Ensure SQL server's TDE protector is encrypted with Customer-managed key	Establish a data leakage management procedure	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.5	Ensure SQL server's TDE protector is encrypted with Customer-managed key	Implement controls to secure all media	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.5	Ensure SQL server's TDE protector is encrypted with Customer-managed key	Protect data in transit using encryption	1.1.0
4 Database Services	CIS Microsoft Azure Foundations Benchmark recommendation 4.5	Ensure SQL server's TDE protector is encrypted with Customer-managed key	Protect special information	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.1	Ensure that a 'Diagnostics Setting' exists	Determine auditable events	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure Diagnostic Setting captures appropriate categories	Audit privileged functions	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure Diagnostic Setting captures appropriate categories	Audit user account status	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure Diagnostic Setting captures appropriate categories	Configure Azure Audit capabilities	1.1.1
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure Diagnostic Setting captures appropriate categories	Determine auditable events	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.2	Ensure Diagnostic Setting captures appropriate categories	Review audit data	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3	Ensure the storage container storing the activity logs is not publicly accessible	Enable dual or joint authorization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3	Ensure the storage container storing the activity logs is not publicly accessible	Protect audit information	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4	Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)	Enable dual or joint authorization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4	Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)	Maintain integrity of audit system	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4	Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)	Protect audit information	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5	Ensure that logging for Azure KeyVault is 'Enabled'	Audit privileged functions	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5	Ensure that logging for Azure KeyVault is 'Enabled'	Audit user account status	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5	Ensure that logging for Azure KeyVault is 'Enabled'	Determine auditable events	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5	Ensure that logging for Azure KeyVault is 'Enabled'	Review audit data	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1	Ensure that Activity Log Alert exists for Create Policy Assignment	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1	Ensure that Activity Log Alert exists for Create Policy Assignment	An activity log alert should exist for specific Policy operations	3.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1	Ensure that Activity Log Alert exists for Create Policy Assignment	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.1	Ensure that Activity Log Alert exists for Create Policy Assignment	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2	Ensure that Activity Log Alert exists for Delete Policy Assignment	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2	Ensure that Activity Log Alert exists for Delete Policy Assignment	An activity log alert should exist for specific Policy operations	3.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2	Ensure that Activity Log Alert exists for Delete Policy Assignment	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.2	Ensure that Activity Log Alert exists for Delete Policy Assignment	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3	Ensure that Activity Log Alert exists for Create or Update Network Security Group	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3	Ensure that Activity Log Alert exists for Create or Update Network Security Group	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3	Ensure that Activity Log Alert exists for Create or Update Network Security Group	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.3	Ensure that Activity Log Alert exists for Create or Update Network Security Group	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4	Ensure that Activity Log Alert exists for Delete Network Security Group	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4	Ensure that Activity Log Alert exists for Delete Network Security Group	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4	Ensure that Activity Log Alert exists for Delete Network Security Group	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.4	Ensure that Activity Log Alert exists for Delete Network Security Group	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5	Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5	Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5	Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.5	Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6	Ensure that activity log alert exists for the Delete Network Security Group Rule	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6	Ensure that activity log alert exists for the Delete Network Security Group Rule	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6	Ensure that activity log alert exists for the Delete Network Security Group Rule	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.6	Ensure that activity log alert exists for the Delete Network Security Group Rule	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7	Ensure that Activity Log Alert exists for Create or Update Security Solution	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7	Ensure that Activity Log Alert exists for Create or Update Security Solution	An activity log alert should exist for specific Security operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7	Ensure that Activity Log Alert exists for Create or Update Security Solution	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.7	Ensure that Activity Log Alert exists for Create or Update Security Solution	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Delete Security Solution	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Delete Security Solution	An activity log alert should exist for specific Security operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Delete Security Solution	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.8	Ensure that Activity Log Alert exists for Delete Security Solution	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	Alert personnel of information spillage	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	An activity log alert should exist for specific Administrative operations	1.0.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	Develop an incident response plan	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.2.9	Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule	Set automated notifications for new and trending cloud applications in your organization	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Adhere to retention periods defined	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Audit privileged functions	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Audit user account status	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Configure Azure Audit capabilities	1.1.1
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Determine auditable events	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Govern and monitor audit processing activities	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Retain security policies and procedures	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Retain terminated user data	1.1.0
5 Logging and Monitoring	CIS Microsoft Azure Foundations Benchmark recommendation 5.3	Ensure that Diagnostic Logs are enabled for all services which support it.	Review audit data	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.3	Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)	Control information flow	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.3	Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)	Employ flow control mechanisms of encrypted information	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.4	Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'	Adhere to retention periods defined	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.4	Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'	Retain security policies and procedures	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.4	Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'	Retain terminated user data	1.1.0
6 Networking	CIS Microsoft Azure Foundations Benchmark recommendation 6.5	Ensure that Network Watcher is 'Enabled'	Verify security functions	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.1	Ensure Virtual Machines are utilizing Managed Disks	Control physical access	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.1	Ensure Virtual Machines are utilizing Managed Disks	Manage the input, output, processing, and storage of data	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.1	Ensure Virtual Machines are utilizing Managed Disks	Review label activity and analytics	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.2	Ensure that 'OS and Data' disks are encrypted with CMK	Establish a data leakage management procedure	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.2	Ensure that 'OS and Data' disks are encrypted with CMK	Implement controls to secure all media	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.2	Ensure that 'OS and Data' disks are encrypted with CMK	Protect data in transit using encryption	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.2	Ensure that 'OS and Data' disks are encrypted with CMK	Protect special information	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.3	Ensure that 'Unattached disks' are encrypted with CMK	Establish a data leakage management procedure	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.3	Ensure that 'Unattached disks' are encrypted with CMK	Implement controls to secure all media	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.3	Ensure that 'Unattached disks' are encrypted with CMK	Protect data in transit using encryption	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.3	Ensure that 'Unattached disks' are encrypted with CMK	Protect special information	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.5	Ensure that the latest OS Patches for all Virtual Machines are applied	Remediate information system flaws	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Block untrusted and unsigned processes that run from USB	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Document security operations	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Manage gateways	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Perform a trend analysis on threats	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Perform vulnerability scans	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Review malware detections report weekly	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Review threat protection status weekly	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Turn on sensors for endpoint security solution	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Update antivirus definitions	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.6	Ensure that the endpoint protection for all Virtual Machines is installed	Verify software, firmware and information integrity	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.7	Ensure that VHD's are encrypted	Establish a data leakage management procedure	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.7	Ensure that VHD's are encrypted	Implement controls to secure all media	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.7	Ensure that VHD's are encrypted	Protect data in transit using encryption	1.1.0
7 Virtual Machines	CIS Microsoft Azure Foundations Benchmark recommendation 7.7	Ensure that VHD's are encrypted	Protect special information	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Define a physical key management process	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Define cryptographic use	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Define organizational requirements for cryptographic key management	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Determine assertion requirements	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Issue public key certificates	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Manage symmetric cryptographic keys	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.1	Ensure that the expiration date is set on all keys	Restrict access to private keys	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Define a physical key management process	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Define cryptographic use	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Define organizational requirements for cryptographic key management	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Determine assertion requirements	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Issue public key certificates	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Manage symmetric cryptographic keys	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.2	Ensure that the expiration date is set on all Secrets	Restrict access to private keys	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.3	Ensure that Resource Locks are set for mission critical Azure resources	Establish and document change control processes	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.4	Ensure the key vault is recoverable	Maintain availability of information	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Authorize access to security functions and information	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Authorize and manage access	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Enforce logical access	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Enforce mandatory and discretionary access control policies	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Require approval for account creation	1.1.0
8 Other Security Considerations	CIS Microsoft Azure Foundations Benchmark recommendation 8.5	Enable role-based access control (RBAC) within Azure Kubernetes Services	Review user groups and applications with access to sensitive data	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.1	Ensure App Service Authentication is set on Azure App Service	Authenticate to cryptographic module	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.1	Ensure App Service Authentication is set on Azure App Service	Enforce user uniqueness	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.1	Ensure App Service Authentication is set on Azure App Service	Support personal verification credentials issued by legal authorities	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.10	Ensure FTP deployments are disabled	Configure workstations to check for digital certificates	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.10	Ensure FTP deployments are disabled	Protect data in transit using encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.10	Ensure FTP deployments are disabled	Protect passwords with encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Define a physical key management process	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Define cryptographic use	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Define organizational requirements for cryptographic key management	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Determine assertion requirements	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Ensure cryptographic mechanisms are under configuration management	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Issue public key certificates	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Maintain availability of information	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Manage symmetric cryptographic keys	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.11	Ensure Azure Keyvaults are used to store secrets	Restrict access to private keys	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.2	Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	Configure workstations to check for digital certificates	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.2	Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	Protect data in transit using encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.2	Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	Protect passwords with encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.3	Ensure web app is using the latest version of TLS encryption	Configure workstations to check for digital certificates	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.3	Ensure web app is using the latest version of TLS encryption	Protect data in transit using encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.3	Ensure web app is using the latest version of TLS encryption	Protect passwords with encryption	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.4	Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'	Authenticate to cryptographic module	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.5	Ensure that Register with Azure Active Directory is enabled on App Service	Automate account management	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.5	Ensure that Register with Azure Active Directory is enabled on App Service	Manage system and admin accounts	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.5	Ensure that Register with Azure Active Directory is enabled on App Service	Monitor access across the organization	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.5	Ensure that Register with Azure Active Directory is enabled on App Service	Notify when account is not needed	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.6	Ensure that 'PHP version' is the latest, if used to run the web app	Remediate information system flaws	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.7	Ensure that 'Python version' is the latest, if used to run the web app	Remediate information system flaws	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.8	Ensure that 'Java version' is the latest, if used to run the web app	Remediate information system flaws	1.1.0
9 AppService	CIS Microsoft Azure Foundations Benchmark recommendation 9.9	Ensure that 'HTTP Version' is the latest, if used to run the web app	Remediate information system flaws	1.1.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC.1.001	Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).	Deprecated accounts should be removed from your subscription	3.0.0
Access Control	AC.1.001	Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Access Control	AC.1.001	Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).	External accounts with owner permissions should be removed from your subscription	3.0.0
Access Control	AC.1.001	Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).	External accounts with read permissions should be removed from your subscription	3.0.0
Access Control	AC.1.001	Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems).	External accounts with write permissions should be removed from your subscription	3.0.0
Access Control	AC.2.007	Employ the principle of least privilege, including for specific security functions and privileged accounts.	External accounts with read permissions should be removed from your subscription	3.0.0
Access Control	AC.2.007	Employ the principle of least privilege, including for specific security functions and privileged accounts.	External accounts with write permissions should be removed from your subscription	3.0.0
Access Control	AC.3.017	Separate the duties of individuals to reduce the risk of malevolent activity without collusion.	A maximum of 3 owners should be designated for your subscription	3.0.0
Access Control	AC.3.017	Separate the duties of individuals to reduce the risk of malevolent activity without collusion.	There should be more than one owner assigned to your subscription	3.0.0
Access Control	AC.3.018	Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.018	Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.018	Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.018	Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.018	Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.021	Authorize remote execution of privileged commands and remote access to security-relevant information.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.021	Authorize remote execution of privileged commands and remote access to security-relevant information.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.021	Authorize remote execution of privileged commands and remote access to security-relevant information.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.021	Authorize remote execution of privileged commands and remote access to security-relevant information.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.021	Authorize remote execution of privileged commands and remote access to security-relevant information.	An activity log alert should exist for specific Administrative operations	1.0.0
Access Control	AC.3.021	Authorize remote execution of privileged commands and remote access to security-relevant information.	An activity log alert should exist for specific Security operations	1.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	An activity log alert should exist for specific Policy operations	3.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	An activity log alert should exist for specific Security operations	1.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'	1.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	Azure Monitor should collect activity logs from all regions	2.0.0
Audit and Accountability	AU.2.041	Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.	Azure subscriptions should have a log profile for Activity Log	1.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	Activity log should be retained for at least one year	1.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	An activity log alert should exist for specific Administrative operations	1.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	An activity log alert should exist for specific Policy operations	3.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	An activity log alert should exist for specific Security operations	1.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	Azure Monitor should collect activity logs from all regions	2.0.0
Audit and Accountability	AU.2.042	Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.	Azure subscriptions should have a log profile for Activity Log	1.0.0
Audit and Accountability	AU.3.049	Protect audit information and audit logging tools from unauthorized access, modification, and deletion.	An activity log alert should exist for specific Policy operations	3.0.0
Security Assessment	CA.2.158	Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.	An activity log alert should exist for specific Security operations	1.0.0
Security Assessment	CA.3.161	Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.	An activity log alert should exist for specific Security operations	1.0.0
Configuration Management	CM.2.061	Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.	An activity log alert should exist for specific Policy operations	3.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	An activity log alert should exist for specific Policy operations	3.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	An activity log alert should exist for specific Security operations	1.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	Azure Monitor should collect activity logs from all regions	2.0.0
Configuration Management	CM.2.065	Track, review, approve or disapprove, and log changes to organizational systems.	Azure subscriptions should have a log profile for Activity Log	1.0.0
Identification and Authentication	IA.1.077	Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Identification and Authentication	IA.1.077	Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Identification and Authentication	IA.1.077	Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Identification and Authentication	IA.3.083	Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Identification and Authentication	IA.3.083	Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Identification and Authentication	IA.3.083	Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Identification and Authentication	IA.3.084	Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Identification and Authentication	IA.3.084	Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Identification and Authentication	IA.3.084	Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Incident Response	IR.2.092	Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.	Email notification for high severity alerts should be enabled	1.0.1
Incident Response	IR.2.092	Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.	Email notification to subscription owner for high severity alerts should be enabled	2.0.0
Incident Response	IR.2.092	Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.	Subscriptions should have a contact email address for security issues	1.0.1
Incident Response	IR.2.093	Detect and report events.	An activity log alert should exist for specific Security operations	1.0.0
Incident Response	IR.2.093	Detect and report events.	Azure Defender for App Service should be enabled	1.0.3
Incident Response	IR.2.093	Detect and report events.	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Incident Response	IR.2.093	Detect and report events.	Azure Defender for Key Vault should be enabled	1.0.3
Incident Response	IR.2.093	Detect and report events.	Azure Defender for servers should be enabled	1.0.3
Incident Response	IR.2.093	Detect and report events.	Azure Defender for SQL servers on machines should be enabled	1.0.2
Incident Response	IR.2.093	Detect and report events.	Azure Defender for Storage should be enabled	1.0.3
Incident Response	IR.2.093	Detect and report events.	Email notification for high severity alerts should be enabled	1.0.1
Incident Response	IR.2.093	Detect and report events.	Microsoft Defender for Containers should be enabled	1.0.0
Recovery	RE.2.137	Regularly perform and test data back-ups.	Audit virtual machines without disaster recovery configured	1.0.0
Recovery	RE.3.139	Regularly perform complete, comprehensive and resilient data backups as organizationally-defined.	Audit virtual machines without disaster recovery configured	1.0.0
Risk Assessment	RM.2.141	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.	Azure Defender for App Service should be enabled	1.0.3
Risk Assessment	RM.2.141	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Risk Assessment	RM.2.141	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.	Azure Defender for Key Vault should be enabled	1.0.3
Risk Assessment	RM.2.141	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.	Azure Defender for servers should be enabled	1.0.3
Risk Assessment	RM.2.141	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.	Azure Defender for SQL servers on machines should be enabled	1.0.2
Risk Assessment	RM.2.141	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.	Azure Defender for Storage should be enabled	1.0.3
Risk Assessment	RM.2.141	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.	Microsoft Defender for Containers should be enabled	1.0.0
Risk Assessment	RM.2.142	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.	Azure Defender for App Service should be enabled	1.0.3
Risk Assessment	RM.2.142	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Risk Assessment	RM.2.142	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.	Azure Defender for Key Vault should be enabled	1.0.3
Risk Assessment	RM.2.142	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.	Azure Defender for servers should be enabled	1.0.3
Risk Assessment	RM.2.142	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.	Azure Defender for SQL servers on machines should be enabled	1.0.2
Risk Assessment	RM.2.142	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.	Azure Defender for Storage should be enabled	1.0.3
Risk Assessment	RM.2.142	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.	Microsoft Defender for Containers should be enabled	1.0.0
Risk Assessment	RM.2.143	Remediate vulnerabilities in accordance with risk assessments.	Azure Defender for App Service should be enabled	1.0.3
Risk Assessment	RM.2.143	Remediate vulnerabilities in accordance with risk assessments.	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Risk Assessment	RM.2.143	Remediate vulnerabilities in accordance with risk assessments.	Azure Defender for Key Vault should be enabled	1.0.3
Risk Assessment	RM.2.143	Remediate vulnerabilities in accordance with risk assessments.	Azure Defender for servers should be enabled	1.0.3
Risk Assessment	RM.2.143	Remediate vulnerabilities in accordance with risk assessments.	Azure Defender for SQL servers on machines should be enabled	1.0.2
Risk Assessment	RM.2.143	Remediate vulnerabilities in accordance with risk assessments.	Azure Defender for Storage should be enabled	1.0.3
Risk Assessment	RM.2.143	Remediate vulnerabilities in accordance with risk assessments.	Microsoft Defender for Containers should be enabled	1.0.0
Risk Management	RM.3.144	Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.	Azure Defender for App Service should be enabled	1.0.3
Risk Management	RM.3.144	Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Risk Management	RM.3.144	Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.	Azure Defender for Key Vault should be enabled	1.0.3
Risk Management	RM.3.144	Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.	Azure Defender for servers should be enabled	1.0.3
Risk Management	RM.3.144	Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.	Azure Defender for SQL servers on machines should be enabled	1.0.2
Risk Management	RM.3.144	Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.	Azure Defender for Storage should be enabled	1.0.3
Risk Management	RM.3.144	Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.	Microsoft Defender for Containers should be enabled	1.0.0
System and Communications Protection	SC.3.181	Separate user functionality from system management functionality.	A maximum of 3 owners should be designated for your subscription	3.0.0
System and Communications Protection	SC.3.181	Separate user functionality from system management functionality.	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
System and Communications Protection	SC.3.181	Separate user functionality from system management functionality.	External accounts with owner permissions should be removed from your subscription	3.0.0
System and Communications Protection	SC.3.181	Separate user functionality from system management functionality.	There should be more than one owner assigned to your subscription	3.0.0
System and Communications Protection	SC.3.187	Establish and manage cryptographic keys for cryptography employed in organizational systems.	Azure Defender for Key Vault should be enabled	1.0.3
System and Communications Protection	SC.3.190	Protect the authenticity of communications sessions.	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
System and Communications Protection	SC.3.190	Protect the authenticity of communications sessions.	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
System and Communications Protection	SC.3.190	Protect the authenticity of communications sessions.	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
System and Information Integrity	SI.1.213	Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.	Azure Defender for App Service should be enabled	1.0.3
System and Information Integrity	SI.1.213	Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
System and Information Integrity	SI.1.213	Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.	Azure Defender for Key Vault should be enabled	1.0.3
System and Information Integrity	SI.1.213	Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.	Azure Defender for servers should be enabled	1.0.3
System and Information Integrity	SI.1.213	Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.	Azure Defender for SQL servers on machines should be enabled	1.0.2
System and Information Integrity	SI.1.213	Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.	Azure Defender for Storage should be enabled	1.0.3
System and Information Integrity	SI.1.213	Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.	Microsoft Defender for Containers should be enabled	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	An activity log alert should exist for specific Policy operations	3.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	An activity log alert should exist for specific Security operations	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Azure Defender for App Service should be enabled	1.0.3
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Azure Defender for Key Vault should be enabled	1.0.3
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Azure Defender for servers should be enabled	1.0.3
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Azure Defender for SQL servers on machines should be enabled	1.0.2
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Azure Defender for Storage should be enabled	1.0.3
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Azure Monitor should collect activity logs from all regions	2.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Azure subscriptions should have a log profile for Activity Log	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Email notification to subscription owner for high severity alerts should be enabled	2.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Microsoft Defender for Containers should be enabled	1.0.0
System and Information Integrity	SI.2.216	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.	Subscriptions should have a contact email address for security issues	1.0.1
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	Activity log should be retained for at least one year	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	An activity log alert should exist for specific Administrative operations	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	An activity log alert should exist for specific Policy operations	3.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	An activity log alert should exist for specific Security operations	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	Azure Monitor should collect activity logs from all regions	2.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	Azure subscriptions should have a log profile for Activity Log	1.0.0
System and Information Integrity	SI.2.217	Identify unauthorized use of organizational systems.	Email notification to subscription owner for high severity alerts should be enabled	2.0.0

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain	Control ID	Control title	Policy _{(Azure portal)}	Policy version _(GitHub)
Access Control	AC-1	Access Control Policy And Procedures	Develop access control policies and procedures	1.1.0
Access Control	AC-1	Access Control Policy And Procedures	Enforce mandatory and discretionary access control policies	1.1.0
Access Control	AC-1	Access Control Policy And Procedures	Govern policies and procedures	1.1.0
Access Control	AC-1	Access Control Policy And Procedures	Review access control policies and procedures	1.1.0
Access Control	AC-2	Account Management	A maximum of 3 owners should be designated for your subscription	3.0.0
Access Control	AC-2	Account Management	Assign account managers	1.1.0
Access Control	AC-2	Account Management	Audit user account status	1.1.0
Access Control	AC-2	Account Management	Define and enforce conditions for shared and group accounts	1.1.0
Access Control	AC-2	Account Management	Define information system account types	1.1.0
Access Control	AC-2	Account Management	Deprecated accounts should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	Deprecated accounts with owner permissions should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	Document access privileges	1.1.0
Access Control	AC-2	Account Management	Establish conditions for role membership	1.1.0
Access Control	AC-2	Account Management	External accounts with owner permissions should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	External accounts with read permissions should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	External accounts with write permissions should be removed from your subscription	3.0.0
Access Control	AC-2	Account Management	Monitor account activity	1.1.0
Access Control	AC-2	Account Management	Notify Account Managers of customer controlled accounts	1.1.0
Access Control	AC-2	Account Management	Reissue authenticators for changed groups and accounts	1.1.0
Access Control	AC-2	Account Management	Require approval for account creation	1.1.0
Access Control	AC-2	Account Management	Restrict access to privileged accounts	1.1.0
Access Control	AC-2	Account Management	Review account provisioning logs	1.1.0
Access Control	AC-2	Account Management	Review user accounts	1.1.0
Access Control	AC-2 (1)	Automated System Account Management	Automate account management	1.1.0
Access Control	AC-2 (1)	Automated System Account Management	Manage system and admin accounts	1.1.0
Access Control	AC-2 (1)	Automated System Account Management	Monitor access across the organization	1.1.0
Access Control	AC-2 (1)	Automated System Account Management	Notify when account is not needed	1.1.0
Access Control	AC-2 (3)	Disable Inactive Accounts	Disable authenticators upon termination	1.1.0
Access Control	AC-2 (3)	Disable Inactive Accounts	Revoke privileged roles as appropriate	1.1.0
Access Control	AC-2 (4)	Automated Audit Actions	Audit user account status	1.1.0
Access Control	AC-2 (4)	Automated Audit Actions	Automate account management	1.1.0
Access Control	AC-2 (4)	Automated Audit Actions	Manage system and admin accounts	1.1.0
Access Control	AC-2 (4)	Automated Audit Actions	Monitor access across the organization	1.1.0
Access Control	AC-2 (4)	Automated Audit Actions	Notify when account is not needed	1.1.0
Access Control	AC-2 (5)	Inactivity Logout	Define and enforce inactivity log policy	1.1.0
Access Control	AC-2 (7)	Role-Based Schemes	Audit privileged functions	1.1.0
Access Control	AC-2 (7)	Role-Based Schemes	Monitor account activity	1.1.0
Access Control	AC-2 (7)	Role-Based Schemes	Monitor privileged role assignment	1.1.0
Access Control	AC-2 (7)	Role-Based Schemes	Restrict access to privileged accounts	1.1.0
Access Control	AC-2 (7)	Role-Based Schemes	Revoke privileged roles as appropriate	1.1.0
Access Control	AC-2 (7)	Role-Based Schemes	Use privileged identity management	1.1.0
Access Control	AC-2 (9)	Restrictions On Use Of Shared Groups / Accounts	Define and enforce conditions for shared and group accounts	1.1.0
Access Control	AC-2 (10)	Shared / Group Account Credential Termination	Terminate customer controlled account credentials	1.1.0
Access Control	AC-2 (11)	Usage Conditions	Enforce appropriate usage of all accounts	1.1.0
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Azure Defender for App Service should be enabled	1.0.3
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Azure Defender for DNS should be enabled	1.0.0
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Azure Defender for Key Vault should be enabled	1.0.3
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Azure Defender for Resource Manager should be enabled	1.0.0
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Azure Defender for servers should be enabled	1.0.3
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Azure Defender for SQL servers on machines should be enabled	1.0.2
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Azure Defender for Storage should be enabled	1.0.3
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Microsoft Defender for Containers should be enabled	1.0.0
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Monitor account activity	1.1.0
Access Control	AC-2 (12)	Account Monitoring / Atypical Usage	Report atypical behavior of user accounts	1.1.0
Access Control	AC-2 (13)	Disable Accounts For High-Risk Individuals	Disable user accounts posing a significant risk	1.1.0
Access Control	AC-3	Access Enforcement	Authorize access to security functions and information	1.1.0
Access Control	AC-3	Access Enforcement	Authorize and manage access	1.1.0
Access Control	AC-3	Access Enforcement	Enforce logical access	1.1.0
Access Control	AC-3	Access Enforcement	Enforce mandatory and discretionary access control policies	1.1.0
Access Control	AC-3	Access Enforcement	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Access Control	AC-3	Access Enforcement	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Access Control	AC-3	Access Enforcement	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Access Control	AC-3	Access Enforcement	Require approval for account creation	1.1.0
Access Control	AC-3	Access Enforcement	Review user groups and applications with access to sensitive data	1.1.0
Access Control	AC-4	Information Flow Enforcement	Control information flow	1.1.0
Access Control	AC-4	Information Flow Enforcement	Employ flow control mechanisms of encrypted information	1.1.0
Access Control	AC-4 (8)	Security Policy Filters	Information flow control using security policy filters	1.1.0
Access Control	AC-4 (21)	Physical / Logical Separation Of Information Flows	Control information flow	1.1.0
Access Control	AC-4 (21)	Physical / Logical Separation Of Information Flows	Establish firewall and router configuration standards	1.1.0
Access Control	AC-4 (21)	Physical / Logical Separation Of Information Flows	Establish network segmentation for card holder data environment	1.1.0
Access Control	AC-4 (21)	Physical / Logical Separation Of Information Flows	Identify and manage downstream information exchanges	1.1.0
Access Control	AC-5	Separation Of Duties	Define access authorizations to support separation of duties	1.1.0
Access Control	AC-5	Separation Of Duties	Document separation of duties	1.1.0
Access Control	AC-5	Separation Of Duties	Separate duties of individuals	1.1.0
Access Control	AC-5	Separation Of Duties	There should be more than one owner assigned to your subscription	3.0.0
Access Control	AC-6	Least Privilege	A maximum of 3 owners should be designated for your subscription	3.0.0
Access Control	AC-6	Least Privilege	Design an access control model	1.1.0
Access Control	AC-6	Least Privilege	Employ least privilege access	1.1.0
Access Control	AC-6 (1)	Authorize Access To Security Functions	Authorize access to security functions and information	1.1.0
Access Control	AC-6 (1)	Authorize Access To Security Functions	Authorize and manage access	1.1.0
Access Control	AC-6 (1)	Authorize Access To Security Functions	Enforce mandatory and discretionary access control policies	1.1.0
Access Control	AC-6 (5)	Privileged Accounts	Restrict access to privileged accounts	1.1.0
Access Control	AC-6 (7)	Review Of User Privileges	A maximum of 3 owners should be designated for your subscription	3.0.0
Access Control	AC-6 (7)	Review Of User Privileges	Reassign or remove user privileges as needed	1.1.0
Access Control	AC-6 (7)	Review Of User Privileges	Review user privileges	1.1.0
Access Control	AC-6 (8)	Privilege Levels For Code Execution	Enforce software execution privileges	1.1.0
Access Control	AC-6 (9)	Auditing Use Of Privileged Functions	Audit privileged functions	1.1.0
Access Control	AC-6 (9)	Auditing Use Of Privileged Functions	Conduct a full text analysis of logged privileged commands	1.1.0
Access Control	AC-6 (9)	Auditing Use Of Privileged Functions	Monitor privileged role assignment	1.1.0
Access Control	AC-6 (9)	Auditing Use Of Privileged Functions	Restrict access to privileged accounts	1.1.0
Access Control	AC-6 (9)	Auditing Use Of Privileged Functions	Revoke privileged roles as appropriate	1.1.0
Access Control	AC-6 (9)	Auditing Use Of Privileged Functions	Use privileged identity management	1.1.0
Access Control	AC-7	Unsuccessful Logon Attempts	Enforce a limit of consecutive failed login attempts	1.1.0
Access Control	AC-10	Concurrent Session Control	Define and enforce the limit of concurrent sessions	1.1.0
Access Control	AC-12	Session Termination	Terminate user session automatically	1.1.0
Access Control	AC-12 (1)	User-Initiated Logouts / Message Displays	Display an explicit logout message	1.1.0
Access Control	AC-12 (1)	User-Initiated Logouts / Message Displays	Provide the logout capability	1.1.0
Access Control	AC-14	Permitted Actions Without Identification Or
Authentication	Identify actions allowed without authentication	1.1.0
Access Control	AC-17	Remote Access	Authorize remote access	1.1.0
Access Control	AC-17	Remote Access	Document mobility training	1.1.0
Access Control	AC-17	Remote Access	Document remote access guidelines	1.1.0
Access Control	AC-17	Remote Access	Implement controls to secure alternate work sites	1.1.0
Access Control	AC-17	Remote Access	Provide privacy training	1.1.0
Access Control	AC-17 (1)	Automated Monitoring / Control	Monitor access across the organization	1.1.0
Access Control	AC-17 (2)	Protection Of Confidentiality / Integrity Using Encryption	Notify users of system logon or access	1.1.0
Access Control	AC-17 (2)	Protection Of Confidentiality / Integrity Using Encryption	Protect data in transit using encryption	1.1.0
Access Control	AC-17 (3)	Managed Access Control Points	Route traffic through managed network access points	1.1.0
Access Control	AC-17 (4)	Privileged Commands / Access	Authorize remote access	1.1.0
Access Control	AC-17 (4)	Privileged Commands / Access	Authorize remote access to privileged commands	1.1.0
Access Control	AC-17 (4)	Privileged Commands / Access	Document remote access guidelines	1.1.0
Access Control	AC-17 (4)	Privileged Commands / Access	Implement controls to secure alternate work sites	1.1.0
Access Control	AC-17 (4)	Privileged Commands / Access	Provide privacy training	1.1.0
Access Control	AC-17 (9)	Disconnect / Disable Access	Provide capability to disconnect or disable remote access	1.1.0
Access Control	AC-18	Wireless Access	Document and implement wireless access guidelines	1.1.0
Access Control	AC-18	Wireless Access	Protect wireless access	1.1.0
Access Control	AC-18 (1)	Authentication And Encryption	Document and implement wireless access guidelines	1.1.0
Access Control	AC-18 (1)	Authentication And Encryption	Identify and authenticate network devices	1.1.0
Access Control	AC-18 (1)	Authentication And Encryption	Protect wireless access	1.1.0
Access Control	AC-19	Access Control For Mobile Devices	Define mobile device requirements	1.1.0
Access Control	AC-19 (5)	Full Device / Container-Based Encryption	Define mobile device requirements	1.1.0
Access Control	AC-19 (5)	Full Device / Container-Based Encryption	Protect data in transit using encryption	1.1.0
Access Control	AC-20	Use Of External Information Systems	Establish terms and conditions for accessing resources	1.1.0
Access Control	AC-20	Use Of External Information Systems	Establish terms and conditions for processing resources	1.1.0
Access Control	AC-20 (1)	Limits On Authorized Use	Verify security controls for external information systems	1.1.0
Access Control	AC-20 (2)	Portable Storage Devices	Block untrusted and unsigned processes that run from USB	1.1.0
Access Control	AC-20 (2)	Portable Storage Devices	Control use of portable storage devices	1.1.0
Access Control	AC-20 (2)	Portable Storage Devices	Implement controls to secure all media	1.1.0
Access Control	AC-21	Information Sharing	Automate information sharing decisions	1.1.0
Access Control	AC-21	Information Sharing	Facilitate information sharing	1.1.0
Access Control	AC-22	Publicly Accessible Content	Designate authorized personnel to post publicly accessible information	1.1.0
Access Control	AC-22	Publicly Accessible Content	Review content prior to posting publicly accessible information	1.1.0
Access Control	AC-22	Publicly Accessible Content	Review publicly accessible content for nonpublic information	1.1.0
Access Control	AC-22	Publicly Accessible Content	Train personnel on disclosure of nonpublic information	1.1.0
Awareness And Training	AT-1	Security Awareness And Training Policy Andprocedures	Document security and privacy training activities	1.1.0
Awareness And Training	AT-1	Security Awareness And Training Policy Andprocedures	Update information security policies	1.1.0
Awareness And Training	AT-2	Security Awareness Training	Provide periodic security awareness training	1.1.0
Awareness And Training	AT-2	Security Awareness Training	Provide security training for new users	1.1.0
Awareness And Training	AT-2	Security Awareness Training	Provide updated security awareness training	1.1.0
Awareness And Training	AT-2 (2)	Insider Threat	Provide security awareness training for insider threats	1.1.0
Awareness And Training	AT-3	Role-Based Security Training	Provide periodic role-based security training	1.1.0
Awareness And Training	AT-3	Role-Based Security Training	Provide role-based security training	1.1.0
Awareness And Training	AT-3	Role-Based Security Training	Provide security training before providing access	1.1.0
Awareness And Training	AT-3 (3)	Practical Exercises	Provide role-based practical exercises	1.1.0
Awareness And Training	AT-3 (4)	Suspicious Communications And Anomalous System Behavior	Provide role-based training on suspicious activities	1.1.0
Awareness And Training	AT-4	Security Training Records	Document security and privacy training activities	1.1.0
Awareness And Training	AT-4	Security Training Records	Monitor security and privacy training completion	1.1.0
Awareness And Training	AT-4	Security Training Records	Retain training records	1.1.0
Audit And Accountability	AU-1	Audit And Accountability Policy And
Procedures	Develop audit and accountability policies and procedures	1.1.0
Audit And Accountability	AU-1	Audit And Accountability Policy And
Procedures	Develop information security policies and procedures	1.1.0
Audit And Accountability	AU-1	Audit And Accountability Policy And
Procedures	Govern policies and procedures	1.1.0
Audit And Accountability	AU-1	Audit And Accountability Policy And
Procedures	Update information security policies	1.1.0
Audit And Accountability	AU-2	Audit Events	Determine auditable events	1.1.0
Audit And Accountability	AU-2 (3)	Reviews And Updates	Review and update the events defined in AU-02	1.1.0
Audit And Accountability	AU-3	Content Of Audit Records	Determine auditable events	1.1.0
Audit And Accountability	AU-3 (1)	Additional Audit Information	Configure Azure Audit capabilities	1.1.1
Audit And Accountability	AU-4	Audit Storage Capacity	Govern and monitor audit processing activities	1.1.0
Audit And Accountability	AU-5	Response To Audit Processing Failures	Govern and monitor audit processing activities	1.1.0
Audit And Accountability	AU-5 (2)	Real-Time Alerts	Provide real-time alerts for audit event failures	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Azure Defender for App Service should be enabled	1.0.3
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Azure Defender for DNS should be enabled	1.0.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Azure Defender for Key Vault should be enabled	1.0.3
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Azure Defender for Resource Manager should be enabled	1.0.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Azure Defender for servers should be enabled	1.0.3
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Azure Defender for SQL servers on machines should be enabled	1.0.2
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Azure Defender for Storage should be enabled	1.0.3
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Correlate audit records	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Establish requirements for audit review and reporting	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Integrate audit review, analysis, and reporting	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Integrate cloud app security with a siem	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Microsoft Defender for Containers should be enabled	1.0.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Review account provisioning logs	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Review administrator assignments weekly	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Review audit data	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Review cloud identity report overview	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Review controlled folder access events	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Review file and folder activity	1.1.0
Audit And Accountability	AU-6	Audit Review, Analysis, And Reporting	Review role group changes weekly	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Correlate audit records	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Establish requirements for audit review and reporting	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Integrate audit review, analysis, and reporting	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Integrate cloud app security with a siem	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Review account provisioning logs	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Review administrator assignments weekly	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Review audit data	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Review cloud identity report overview	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Review controlled folder access events	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Review file and folder activity	1.1.0
Audit And Accountability	AU-6 (1)	Process Integration	Review role group changes weekly	1.1.0
Audit And Accountability	AU-6 (3)	Correlate Audit Repositories	Correlate audit records	1.1.0
Audit And Accountability	AU-6 (3)	Correlate Audit Repositories	Integrate cloud app security with a siem	1.1.0
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Azure Defender for App Service should be enabled	1.0.3
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Azure Defender for DNS should be enabled	1.0.0
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Azure Defender for Key Vault should be enabled	1.0.3
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Azure Defender for Resource Manager should be enabled	1.0.0
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Azure Defender for servers should be enabled	1.0.3
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Azure Defender for SQL servers on machines should be enabled	1.0.2
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Azure Defender for Storage should be enabled	1.0.3
Audit And Accountability	AU-6 (4)	Central Review And Analysis	Microsoft Defender for Containers should be enabled	1.0.0
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Azure Defender for App Service should be enabled	1.0.3
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Azure Defender for DNS should be enabled	1.0.0
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Azure Defender for Key Vault should be enabled	1.0.3
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Azure Defender for Resource Manager should be enabled	1.0.0
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Azure Defender for servers should be enabled	1.0.3
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Azure Defender for SQL servers on machines should be enabled	1.0.2
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Azure Defender for Storage should be enabled	1.0.3
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Integrate Audit record analysis	1.1.0
Audit And Accountability	AU-6 (5)	Integration / Scanning And Monitoring Capabilities	Microsoft Defender for Containers should be enabled	1.0.0
Audit And Accountability	AU-6 (7)	Permitted Actions	Specify permitted actions associated with customer audit information	1.1.0
Audit And Accountability	AU-6 (10)	Audit Level Adjustment	Adjust level of audit review, analysis, and reporting	1.1.0
Audit And Accountability	AU-7	Audit Reduction And Report Generation	Ensure audit records are not altered	1.1.0
Audit And Accountability	AU-7	Audit Reduction And Report Generation	Provide audit review, analysis, and reporting capability	1.1.0
Audit And Accountability	AU-7 (1)	Automatic Processing	Provide capability to process customer-controlled audit records	1.1.0
Audit And Accountability	AU-8	Time Stamps	Use system clocks for audit records	1.1.0
Audit And Accountability	AU-8 (1)	Synchronization With Authoritative Time Source	Use system clocks for audit records	1.1.0
Audit And Accountability	AU-9	Protection Of Audit Information	Enable dual or joint authorization	1.1.0
Audit And Accountability	AU-9	Protection Of Audit Information	Protect audit information	1.1.0
Audit And Accountability	AU-9 (2)	Audit Backup On Separate Physical Systems / Components	Establish backup policies and procedures	1.1.0
Audit And Accountability	AU-9 (3)	Cryptographic Protection	Maintain integrity of audit system	1.1.0
Audit And Accountability	AU-9 (4)	Access By Subset Of Privileged Users	Protect audit information	1.1.0
Audit And Accountability	AU-10	Non-Repudiation	Establish electronic signature and certificate requirements	1.1.0
Audit And Accountability	AU-11	Audit Record Retention	Adhere to retention periods defined	1.1.0
Audit And Accountability	AU-11	Audit Record Retention	Retain security policies and procedures	1.1.0
Audit And Accountability	AU-11	Audit Record Retention	Retain terminated user data	1.1.0
Audit And Accountability	AU-12	Audit Generation	Audit privileged functions	1.1.0
Audit And Accountability	AU-12	Audit Generation	Audit user account status	1.1.0
Audit And Accountability	AU-12	Audit Generation	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
Audit And Accountability	AU-12	Audit Generation	Azure Defender for App Service should be enabled	1.0.3
Audit And Accountability	AU-12	Audit Generation	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Audit And Accountability	AU-12	Audit Generation	Azure Defender for DNS should be enabled	1.0.0
Audit And Accountability	AU-12	Audit Generation	Azure Defender for Key Vault should be enabled	1.0.3
Audit And Accountability	AU-12	Audit Generation	Azure Defender for Resource Manager should be enabled	1.0.0
Audit And Accountability	AU-12	Audit Generation	Azure Defender for servers should be enabled	1.0.3
Audit And Accountability	AU-12	Audit Generation	Azure Defender for SQL servers on machines should be enabled	1.0.2
Audit And Accountability	AU-12	Audit Generation	Azure Defender for Storage should be enabled	1.0.3
Audit And Accountability	AU-12	Audit Generation	Determine auditable events	1.1.0
Audit And Accountability	AU-12	Audit Generation	Microsoft Defender for Containers should be enabled	1.0.0
Audit And Accountability	AU-12	Audit Generation	Review audit data	1.1.0
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Auto provisioning of the Log Analytics agent should be enabled on your subscription	1.0.1
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Azure Defender for App Service should be enabled	1.0.3
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Azure Defender for DNS should be enabled	1.0.0
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Azure Defender for Key Vault should be enabled	1.0.3
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Azure Defender for Resource Manager should be enabled	1.0.0
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Azure Defender for servers should be enabled	1.0.3
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Azure Defender for SQL servers on machines should be enabled	1.0.2
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Azure Defender for Storage should be enabled	1.0.3
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Compile Audit records into system wide audit	1.1.0
Audit And Accountability	AU-12 (1)	System-Wide / Time-Correlated Audit Trail	Microsoft Defender for Containers should be enabled	1.0.0
Audit And Accountability	AU-12 (3)	Changes By Authorized Individuals	Provide the capability to extend or limit auditing on customer-deployed resources	1.1.0
Security Assessment And Authorization	CA-1	Security Assessment And Authorization
Policy And Procedures	Review security assessment and authorization policies and procedures	1.1.0
Security Assessment And Authorization	CA-2	Security Assessments	Assess Security Controls	1.1.0
Security Assessment And Authorization	CA-2	Security Assessments	Deliver security assessment results	1.1.0
Security Assessment And Authorization	CA-2	Security Assessments	Develop security assessment plan	1.1.0
Security Assessment And Authorization	CA-2	Security Assessments	Produce Security Assessment report	1.1.0
Security Assessment And Authorization	CA-2 (1)	Independent Assessors	Employ independent assessors to conduct security control assessments	1.1.0
Security Assessment And Authorization	CA-2 (2)	Specialized Assessments	Select additional testing for security control assessments	1.1.0
Security Assessment And Authorization	CA-2 (3)	External Organizations	Accept assessment results	1.1.0
Security Assessment And Authorization	CA-3	System Interconnections	Require interconnection security agreements	1.1.0
Security Assessment And Authorization	CA-3	System Interconnections	Update interconnection security agreements	1.1.0
Security Assessment And Authorization	CA-3 (3)	Unclassified Non-National Security System Connections	Implement system boundary protection	1.1.0
Security Assessment And Authorization	CA-3 (5)	Restrictions On External System Connections	Employ restrictions on external system interconnections	1.1.0
Security Assessment And Authorization	CA-5	Plan Of Action And Milestones	Develop POA&M	1.1.0
Security Assessment And Authorization	CA-5	Plan Of Action And Milestones	Update POA&M items	1.1.0
Security Assessment And Authorization	CA-6	Security Authorization	Assign an authorizing official (AO)	1.1.0
Security Assessment And Authorization	CA-6	Security Authorization	Ensure resources are authorized	1.1.0
Security Assessment And Authorization	CA-6	Security Authorization	Update the security authorization	1.1.0
Security Assessment And Authorization	CA-7	Continuous Monitoring	Configure detection allowlist	1.1.0
Security Assessment And Authorization	CA-7	Continuous Monitoring	Turn on sensors for endpoint security solution	1.1.0
Security Assessment And Authorization	CA-7	Continuous Monitoring	Undergo independent security review	1.1.0
Security Assessment And Authorization	CA-7 (1)	Independent Assessment	Employ independent assessors for continuous monitoring	1.1.0
Security Assessment And Authorization	CA-7 (3)	Trend Analyses	Analyse data obtained from continuous monitoring	1.1.0
Security Assessment And Authorization	CA-8 (1)	Independent Penetration Agent Or Team	Employ independent team for penetration testing	1.1.0
Security Assessment And Authorization	CA-9	Internal System Connections	Check for privacy and security compliance before establishing internal connections	1.1.0
Configuration Management	CM-1	Configuration Management Policy And Procedures	Review and update configuration management policies and procedures	1.1.0
Configuration Management	CM-2	Baseline Configuration	Configure actions for noncompliant devices	1.1.0
Configuration Management	CM-2	Baseline Configuration	Develop and maintain baseline configurations	1.1.0
Configuration Management	CM-2	Baseline Configuration	Enforce security configuration settings	1.1.0
Configuration Management	CM-2	Baseline Configuration	Establish a configuration control board	1.1.0
Configuration Management	CM-2	Baseline Configuration	Establish and document a configuration management plan	1.1.0
Configuration Management	CM-2	Baseline Configuration	Implement an automated configuration management tool	1.1.0
Configuration Management	CM-2 (2)	Automation Support For Accuracy / Currency	Configure actions for noncompliant devices	1.1.0
Configuration Management	CM-2 (2)	Automation Support For Accuracy / Currency	Develop and maintain baseline configurations	1.1.0
Configuration Management	CM-2 (2)	Automation Support For Accuracy / Currency	Enforce security configuration settings	1.1.0
Configuration Management	CM-2 (2)	Automation Support For Accuracy / Currency	Establish a configuration control board	1.1.0
Configuration Management	CM-2 (2)	Automation Support For Accuracy / Currency	Establish and document a configuration management plan	1.1.0
Configuration Management	CM-2 (2)	Automation Support For Accuracy / Currency	Implement an automated configuration management tool	1.1.0
Configuration Management	CM-2 (3)	Retention Of Previous Configurations	Retain previous versions of baseline configs	1.1.0
Configuration Management	CM-2 (7)	Configure Systems, Components, Or Devices For High-Risk Areas	Ensure security safeguards not needed when the individuals return	1.1.0
Configuration Management	CM-2 (7)	Configure Systems, Components, Or Devices For High-Risk Areas	Not allow for information systems to accompany with individuals	1.1.0
Configuration Management	CM-3	Configuration Change Control	Conduct a security impact analysis	1.1.0
Configuration Management	CM-3	Configuration Change Control	Develop and maintain a vulnerability management standard	1.1.0
Configuration Management	CM-3	Configuration Change Control	Establish a risk management strategy	1.1.0
Configuration Management	CM-3	Configuration Change Control	Establish and document change control processes	1.1.0
Configuration Management	CM-3	Configuration Change Control	Establish configuration management requirements for developers	1.1.0
Configuration Management	CM-3	Configuration Change Control	Perform a privacy impact assessment	1.1.0
Configuration Management	CM-3	Configuration Change Control	Perform a risk assessment	1.1.0
Configuration Management	CM-3	Configuration Change Control	Perform audit for configuration change control	1.1.0
Configuration Management	CM-3 (1)	Automated Document / Notification / Prohibition Of Changes	Automate approval request for proposed changes	1.1.0
Configuration Management	CM-3 (1)	Automated Document / Notification / Prohibition Of Changes	Automate implementation of approved change notifications	1.1.0
Configuration Management	CM-3 (1)	Automated Document / Notification / Prohibition Of Changes	Automate process to document implemented changes	1.1.0
Configuration Management	CM-3 (1)	Automated Document / Notification / Prohibition Of Changes	Automate process to highlight unreviewed change proposals	1.1.0
Configuration Management	CM-3 (1)	Automated Document / Notification / Prohibition Of Changes	Automate process to prohibit implementation of unapproved changes	1.1.0
Configuration Management	CM-3 (1)	Automated Document / Notification / Prohibition Of Changes	Automate proposed documented changes	1.1.0
Configuration Management	CM-3 (2)	Test / Validate / Document Changes	Establish and document change control processes	1.1.0
Configuration Management	CM-3 (2)	Test / Validate / Document Changes	Establish configuration management requirements for developers	1.1.0
Configuration Management	CM-3 (2)	Test / Validate / Document Changes	Perform audit for configuration change control	1.1.0
Configuration Management	CM-3 (4)	Security Representative	Assign information security representative to change control	1.1.0
Configuration Management	CM-3 (6)	Cryptography Management	Ensure cryptographic mechanisms are under configuration management	1.1.0
Configuration Management	CM-4	Security Impact Analysis	Conduct a security impact analysis	1.1.0
Configuration Management	CM-4	Security Impact Analysis	Develop and maintain a vulnerability management standard	1.1.0
Configuration Management	CM-4	Security Impact Analysis	Establish a risk management strategy	1.1.0
Configuration Management	CM-4	Security Impact Analysis	Establish and document change control processes	1.1.0
Configuration Management	CM-4	Security Impact Analysis	Establish configuration management requirements for developers	1.1.0
Configuration Management	CM-4	Security Impact Analysis	Perform a privacy impact assessment	1.1.0
Configuration Management	CM-4	Security Impact Analysis	Perform a risk assessment	1.1.0
Configuration Management	CM-4	Security Impact Analysis	Perform audit for configuration change control	1.1.0
Configuration Management	CM-4 (1)	Separate Test Environments	Conduct a security impact analysis	1.1.0
Configuration Management	CM-4 (1)	Separate Test Environments	Establish and document change control processes	1.1.0
Configuration Management	CM-4 (1)	Separate Test Environments	Establish configuration management requirements for developers	1.1.0
Configuration Management	CM-4 (1)	Separate Test Environments	Perform a privacy impact assessment	1.1.0
Configuration Management	CM-4 (1)	Separate Test Environments	Perform audit for configuration change control	1.1.0
Configuration Management	CM-5	Access Restrictions For Change	Establish and document change control processes	1.1.0
Configuration Management	CM-5 (1)	Automated Access Enforcement / Auditing	Enforce and audit access restrictions	1.1.0
Configuration Management	CM-5 (2)	Review System Changes	Review changes for any unauthorized changes	1.1.0
Configuration Management	CM-5 (3)	Signed Components	Restrict unauthorized software and firmware installation	1.1.0
Configuration Management	CM-5 (5)	Limit Production / Operational Privileges	Limit privileges to make changes in production environment	1.1.0
Configuration Management	CM-5 (5)	Limit Production / Operational Privileges	Review and reevaluate privileges	1.1.0
Configuration Management	CM-6	Configuration Settings	Enforce security configuration settings	1.1.0
Configuration Management	CM-6	Configuration Settings	Remediate information system flaws	1.1.0
Configuration Management	CM-6 (1)	Automated Central Management / Application / Verification	Enforce security configuration settings	1.1.0
Configuration Management	CM-6 (1)	Automated Central Management / Application / Verification	Govern compliance of cloud service providers	1.1.0
Configuration Management	CM-6 (1)	Automated Central Management / Application / Verification	View and configure system diagnostic data	1.1.0
Configuration Management	CM-7	Least Functionality	Azure Defender for servers should be enabled	1.0.3
Configuration Management	CM-8	Information System Component Inventory	Create a data inventory	1.1.0
Configuration Management	CM-8	Information System Component Inventory	Maintain records of processing of personal data	1.1.0
Configuration Management	CM-8 (1)	Updates During Installations / Removals	Create a data inventory	1.1.0
Configuration Management	CM-8 (1)	Updates During Installations / Removals	Maintain records of processing of personal data	1.1.0
Configuration Management	CM-8 (3)	Automated Unauthorized Component Detection	Enable detection of network devices	1.1.0
Configuration Management	CM-8 (3)	Automated Unauthorized Component Detection	Set automated notifications for new and trending cloud applications in your organization	1.1.0
Configuration Management	CM-8 (4)	Accountability Information	Create a data inventory	1.1.0
Configuration Management	CM-8 (4)	Accountability Information	Establish and maintain an asset inventory	1.1.0
Configuration Management	CM-9	Configuration Management Plan	Create configuration plan protection	1.1.0
Configuration Management	CM-9	Configuration Management Plan	Develop and maintain baseline configurations	1.1.0
Configuration Management	CM-9	Configuration Management Plan	Develop configuration item identification plan	1.1.0
Configuration Management	CM-9	Configuration Management Plan	Develop configuration management plan	1.1.0
Configuration Management	CM-9	Configuration Management Plan	Establish and document a configuration management plan	1.1.0
Configuration Management	CM-9	Configuration Management Plan	Implement an automated configuration management tool	1.1.0
Configuration Management	CM-10	Software Usage Restrictions	Require compliance with intellectual property rights	1.1.0
Configuration Management	CM-10	Software Usage Restrictions	Track software license usage	1.1.0
Configuration Management	CM-10 (1)	Open Source Software	Restrict use of open source software	1.1.0
Contingency Planning	CP-1	Contingency Planning Policy And Procedures	Review and update contingency planning policies and procedures	1.1.0
Contingency Planning	CP-2	Contingency Plan	Communicate contingency plan changes	1.1.0
Contingency Planning	CP-2	Contingency Plan	Coordinate contingency plans with related plans	1.1.0
Contingency Planning	CP-2	Contingency Plan	Develop and document a business continuity and disaster recovery plan	1.1.0
Contingency Planning	CP-2	Contingency Plan	Develop contingency plan	1.1.0
Contingency Planning	CP-2	Contingency Plan	Develop contingency planning policies and procedures	1.1.0
Contingency Planning	CP-2	Contingency Plan	Distribute policies and procedures	1.1.0
Contingency Planning	CP-2	Contingency Plan	Review contingency plan	1.1.0
Contingency Planning	CP-2	Contingency Plan	Update contingency plan	1.1.0
Contingency Planning	CP-2 (1)	Coordinate With Related Plans	Coordinate contingency plans with related plans	1.1.0
Contingency Planning	CP-2 (2)	Capacity Planning	Conduct capacity planning	1.1.0
Contingency Planning	CP-2 (3)	Resume Essential Missions / Business Functions	Plan for resumption of essential business functions	1.1.0
Contingency Planning	CP-2 (4)	Resume All Missions / Business Functions	Resume all mission and business functions	1.1.0
Contingency Planning	CP-2 (5)	Continue Essential Missions / Business Functions	Plan for continuance of essential business functions	1.1.0
Contingency Planning	CP-2 (8)	Identify Critical Assets	Perform a business impact assessment and application criticality assessment	1.1.0
Contingency Planning	CP-3	Contingency Training	Provide contingency training	1.1.0
Contingency Planning	CP-3 (1)	Simulated Events	Incorporate simulated contingency training	1.1.0
Contingency Planning	CP-4	Contingency Plan Testing	Initiate contingency plan testing corrective actions	1.1.0
Contingency Planning	CP-4	Contingency Plan Testing	Review the results of contingency plan testing	1.1.0
Contingency Planning	CP-4	Contingency Plan Testing	Test the business continuity and disaster recovery plan	1.1.0
Contingency Planning	CP-4 (1)	Coordinate With Related Plans	Coordinate contingency plans with related plans	1.1.0
Contingency Planning	CP-4 (2)	Alternate Processing Site	Evaluate alternate processing site capabilities	1.1.0
Contingency Planning	CP-4 (2)	Alternate Processing Site	Test contingency plan at an alternate processing location	1.1.0
Contingency Planning	CP-6	Alternate Storage Site	Ensure alternate storage site safeguards are equivalent to primary site	1.1.0
Contingency Planning	CP-6	Alternate Storage Site	Establish alternate storage site to store and retrieve backup information	1.1.0
Contingency Planning	CP-6 (1)	Separation From Primary Site	Create separate alternate and primary storage sites	1.1.0
Contingency Planning	CP-6 (2)	Recovery Time / Point Objectives	Establish alternate storage site that facilitates recovery operations	1.1.0
Contingency Planning	CP-6 (3)	Accessibility	Identify and mitigate potential issues at alternate storage site	1.1.0
Contingency Planning	CP-7	Alternate Processing Site	Audit virtual machines without disaster recovery configured	1.0.0
Contingency Planning	CP-7	Alternate Processing Site	Establish an alternate processing site	1.1.0
Contingency Planning	CP-7 (1)	Separation From Primary Site	Establish an alternate processing site	1.1.0
Contingency Planning	CP-7 (2)	Accessibility	Establish an alternate processing site	1.1.0
Contingency Planning	CP-7 (3)	Priority Of Service	Establish an alternate processing site	1.1.0
Contingency Planning	CP-7 (3)	Priority Of Service	Establish requirements for internet service providers	1.1.0
Contingency Planning	CP-7 (4)	Preparation For Use	Prepare alternate processing site for use as operational site	1.1.0
Contingency Planning	CP-8 (1)	Priority Of Service Provisions	Establish requirements for internet service providers	1.1.0
Contingency Planning	CP-9	Information System Backup	Conduct backup of information system documentation	1.1.0
Contingency Planning	CP-9	Information System Backup	Establish backup policies and procedures	1.1.0
Contingency Planning	CP-9	Information System Backup	Implement controls to secure all media	1.1.0
Contingency Planning	CP-9 (3)	Separate Storage For Critical Information	Separately store backup information	1.1.0
Contingency Planning	CP-9 (5)	Transfer To Alternate Storage Site	Transfer backup information to an alternate storage site	1.1.0
Contingency Planning	CP-10	Information System Recovery And Reconstitution	Recover and reconstitute resources after any disruption	1.1.1
Contingency Planning	CP-10 (2)	Transaction Recovery	Implement transaction based recovery	1.1.0
Contingency Planning	CP-10 (4)	Restore Within Time Period	Restore resources to operational state	1.1.1
Identification And Authentication	IA-1	Identification And Authentication Policy And Procedures	Review and update identification and authentication policies and procedures	1.1.0
Identification And Authentication	IA-2	Identification And Authentication
(Organizational Users)	Enforce user uniqueness	1.1.0
Identification And Authentication	IA-2	Identification And Authentication
(Organizational Users)	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Identification And Authentication	IA-2	Identification And Authentication
(Organizational Users)	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Identification And Authentication	IA-2	Identification And Authentication
(Organizational Users)	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Identification And Authentication	IA-2	Identification And Authentication
(Organizational Users)	Support personal verification credentials issued by legal authorities	1.1.0
Identification And Authentication	IA-2 (1)	Network Access To Privileged Accounts	Adopt biometric authentication mechanisms	1.1.0
Identification And Authentication	IA-2 (1)	Network Access To Privileged Accounts	MFA should be enabled for accounts with write permissions on your subscription	3.0.1
Identification And Authentication	IA-2 (1)	Network Access To Privileged Accounts	MFA should be enabled on accounts with owner permissions on your subscription	3.0.0
Identification And Authentication	IA-2 (2)	Network Access To Non-Privileged Accounts	Adopt biometric authentication mechanisms	1.1.0
Identification And Authentication	IA-2 (2)	Network Access To Non-Privileged Accounts	MFA should be enabled on accounts with read permissions on your subscription	3.0.0
Identification And Authentication	IA-2 (3)	Local Access To Privileged Accounts	Adopt biometric authentication mechanisms	1.1.0
Identification And Authentication	IA-2 (5)	Group Authentication	Require use of individual authenticators	1.1.0
Identification And Authentication	IA-2 (11)	Remote Access - Separate Device	Adopt biometric authentication mechanisms	1.1.0
Identification And Authentication	IA-2 (11)	Remote Access - Separate Device	Identify and authenticate network devices	1.1.0
Identification And Authentication	IA-2 (12)	Acceptance Of Piv Credentials	Support personal verification credentials issued by legal authorities	1.1.0
Identification And Authentication	IA-4	Identifier Management	Assign system identifiers	1.1.0
Identification And Authentication	IA-4	Identifier Management	Prevent identifier reuse for the defined time period	1.1.0
Identification And Authentication	IA-4 (4)	Identify User Status	Identify status of individual users	1.1.0
Identification And Authentication	IA-5	Authenticator Management	Establish authenticator types and processes	1.1.0
Identification And Authentication	IA-5	Authenticator Management	Establish procedures for initial authenticator distribution	1.1.0
Identification And Authentication	IA-5	Authenticator Management	Implement training for protecting authenticators	1.1.0
Identification And Authentication	IA-5	Authenticator Management	Manage authenticator lifetime and reuse	1.1.0
Identification And Authentication	IA-5	Authenticator Management	Manage Authenticators	1.1.0
Identification And Authentication	IA-5	Authenticator Management	Refresh authenticators	1.1.0
Identification And Authentication	IA-5	Authenticator Management	Reissue authenticators for changed groups and accounts	1.1.0
Identification And Authentication	IA-5	Authenticator Management	Verify identity before distributing authenticators	1.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Document security strength requirements in acquisition contracts	1.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Establish a password policy	1.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Implement parameters for memorized secret verifiers	1.1.0
Identification And Authentication	IA-5 (1)	Password-Based Authentication	Protect passwords with encryption	1.1.0
Identification And Authentication	IA-5 (2)	Pki-Based Authentication	Bind authenticators and identities dynamically	1.1.0
Identification And Authentication	IA-5 (2)	Pki-Based Authentication	Establish authenticator types and processes	1.1.0
Identification And Authentication	IA-5 (2)	Pki-Based Authentication	Establish parameters for searching secret authenticators and verifiers	1.1.0
Identification And Authentication	IA-5 (2)	Pki-Based Authentication	Establish procedures for initial authenticator distribution	1.1.0
Identification And Authentication	IA-5 (2)	Pki-Based Authentication	Map authenticated identities to individuals	1.1.0
Identification And Authentication	IA-5 (2)	Pki-Based Authentication	Restrict access to private keys	1.1.0
Identification And Authentication	IA-5 (2)	Pki-Based Authentication	Verify identity before distributing authenticators	1.1.0
Identification And Authentication	IA-5 (3)	In-Person Or Trusted Third-Party Registration	Distribute authenticators	1.1.0
Identification And Authentication	IA-5 (4)	Automated Support For Password Strength Determination	Document security strength requirements in acquisition contracts	1.1.0
Identification And Authentication	IA-5 (4)	Automated Support For Password Strength Determination	Establish a password policy	1.1.0
Identification And Authentication	IA-5 (4)	Automated Support For Password Strength Determination	Implement parameters for memorized secret verifiers	1.1.0
Identification And Authentication	IA-5 (6)	Protection Of Authenticators	Ensure authorized users protect provided authenticators	1.1.0
Identification And Authentication	IA-5 (7)	No Embedded Unencrypted Static Authenticators	Ensure there are no unencrypted static authenticators	1.1.0
Identification And Authentication	IA-5 (11)	Hardware Token-Based Authentication	Satisfy token quality requirements	1.1.0
Identification And Authentication	IA-5 (13)	Expiration Of Cached Authenticators	Enforce expiration of cached authenticators	1.1.0
Identification And Authentication	IA-6	Authenticator Feedback	Obscure feedback information during authentication process	1.1.0
Identification And Authentication	IA-7	Cryptographic Module Authentication	Authenticate to cryptographic module	1.1.0
Identification And Authentication	IA-8	Identification And Authentication (Non- Organizational Users)	Identify and authenticate non-organizational users	1.1.0
Identification And Authentication	IA-8 (1)	Acceptance Of Piv Credentials From Other Agencies	Accept PIV credentials	1.1.0
Identification And Authentication	IA-8 (2)	Acceptance Of Third-Party Credentials	Accept only FICAM-approved third-party credentials	1.1.0
Identification And Authentication	IA-8 (3)	Use Of Ficam-Approved Products	Employ FICAM-approved resources to accept third-party credentials	1.1.0
Identification And Authentication	IA-8 (4)	Use Of Ficam-Issued Profiles	Conform to FICAM-issued profiles	1.1.0
Incident Response	IR-1	Incident Response Policy And Procedures	Review and update incident response policies and procedures	1.1.0
Incident Response	IR-2	Incident Response Training	Provide information spillage training	1.1.0
Incident Response	IR-2 (1)	Simulated Events	Incorporate simulated events into incident response training	1.1.0
Incident Response	IR-2 (2)	Automated Training Environments	Employ automated training environment	1.1.0
Incident Response	IR-3	Incident Response Testing	Conduct incident response testing	1.1.0
Incident Response	IR-3	Incident Response Testing	Establish an information security program	1.1.0
Incident Response	IR-3	Incident Response Testing	Run simulation attacks	1.1.0
Incident Response	IR-3 (2)	Coordination With Related Plans	Conduct incident response testing	1.1.0
Incident Response	IR-3 (2)	Coordination With Related Plans	Establish an information security program	1.1.0
Incident Response	IR-3 (2)	Coordination With Related Plans	Run simulation attacks	1.1.0
Incident Response	IR-4	Incident Handling	Assess information security events	1.1.0
Incident Response	IR-4	Incident Handling	Azure Defender for App Service should be enabled	1.0.3
Incident Response	IR-4	Incident Handling	Azure Defender for Azure SQL Database servers should be enabled	1.0.2
Incident Response	IR-4	Incident Handling	Azure Defender for DNS should be enabled	1.0.0
Incident Response	IR-4	Incident Handling	Azure Defender for Key Vault should be enabled	1.0.3
Incident Response	IR-4	Incident Handling	Azure Defender for Resource Manager should be enabled	1.0.0
Incident Response	IR-4	Incident Handling	Azure Defender for servers should be enabled	1.0.3
Incident Response	IR-4	Incident Handling	Azure Defender for SQL servers on machines should be enabled	1.0.2
Incident Response	IR-4	Incident Handling	Azure Defender for Storage should be enabled	1.0.3
Incident Response	IR-4	Incident Handling	Coordinate contingency plans with related plans	1.1.0
Incident Response	IR-4	Incident Handling	Develop an incident response plan	1.1.0
Incident Response	IR-4	Incident Handling	Develop security safeguards	1.1.0
Incident Response	IR-4	Incident Handling	Email notification for high severity alerts should be enabled	1.0.1
Incident Response	IR-4	Incident Handling	Email notification to subscription owner for high severity alerts should be enabled	2.0.0
Incident Response	IR-4	Incident Handling	Enable network protection	1.1.0
Incident Response	IR-4	Incident Handling	Eradicate contaminated information	1.1.0
Incident Response	IR-4	Incident Handling	Execute actions in response to information spills	1.1.0
Incident Response	IR-4	Incident Handling	Implement incident handling	1.1.0
Incident Response	IR-4	Incident Handling	Maintain incident response plan	1.1.0
Incident Response	IR-4	Incident Handling	Microsoft Defender for Containers should be enabled	1.0.0
Incident Response	IR-4	Incident Handling	Perform a trend analysis on threats	1.1.0
Incident Response	IR-4	Incident Handling	Subscriptions should have a contact email address for security issues	1.0.1
Incident Response	IR-4	Incident Handling	View and investigate restricted users	1.1.0
Incident Response	IR-4 (1)	Automated Incident Handling Processes	Develop an incident response plan	1.1.0
Incident Response	IR-4 (1)	Automated Incident Handling Processes	Enable network protection	1.1.0
Incident Response	IR-4 (1)	Automated Incident Handling Processes	Implement incident handling	1.1.0
Incident Response	IR-4 (2)	Dynamic Reconfiguration	Include dynamic reconfig of customer deployed resources<