Azure Policy built-in policy definitions

This page is an index of Azure Policy built-in policy definitions.

The name of each built-in links to the policy definition in the Azure portal. Use the link in the Source column to view the source on the Azure Policy GitHub repo. The built-ins are grouped by the category property in metadata. To go to a specific category, use Ctrl-F for your browser's search feature.

API for FHIR

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure API for FHIR should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. audit, Audit, disabled, Disabled 1.1.0
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
CORS should not allow every domain to access your API for FHIR Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. audit, Audit, disabled, Disabled 1.1.0

API Management

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. Audit, Disabled, Deny 2.0.2
API Management calls to API backends should be authenticated Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. Audit, Disabled, Deny 1.0.1
API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. Audit, Disabled, Deny 1.0.2
API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. Audit, Disabled, Deny 1.0.2
API Management minimum API version should be set to 2019-12-01 or higher To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. Audit, Deny, Disabled 1.0.1
API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. Audit, Disabled, Deny 1.0.2
API Management service should use a SKU that supports virtual networks With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. Audit, Deny, Disabled 1.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Deny, Disabled 1.0.2
API Management should disable public network access to the service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. AuditIfNotExists, Disabled 1.0.1
API Management should have username and password authentication disabled To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Audit, Disabled 1.0.1
API Management subscriptions should not be scoped to all APIs API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. Audit, Disabled, Deny 1.1.0
Azure API Management platform version should be stv2 Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024 Audit, Deny, Disabled 1.0.0
Configure API Management services to disable access to API Management public service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. DeployIfNotExists, Disabled 1.1.0
Modify API Management to disable username and password authentication To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Modify 1.1.0

App Configuration

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Configuration should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Audit, Deny, Disabled 1.0.0
App Configuration should use a customer-managed key Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Audit, Deny, Disabled 1.1.0
App Configuration should use a SKU that supports private link When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Audit, Deny, Disabled 1.0.0
App Configuration should use geo-replication Use the geo-replication feature to create replicas in other locations of your current configuration store for enhanced resiliency and availability. Additionally, having multi-region replicas lets you better distribute load, lower latency, protect against datacenter outages, and compartmentalize globally distributed workloads. Learn more at: https://aka.ms/appconfig/geo-replication. AuditIfNotExists, Disabled 1.0.0
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Audit, Deny, Disabled 1.0.1
Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Modify, Disabled 1.0.1
Configure App Configuration to disable public network access Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Modify, Disabled 1.0.0
Configure private DNS zones for private endpoints connected to App Configuration Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. DeployIfNotExists, Disabled 1.0.0
Configure private endpoints for App Configuration Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. DeployIfNotExists, Disabled 1.0.0

App Platform

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Audit, Disabled 1.0.0-preview
Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Audit, Disabled, Deny 1.2.0

App Service

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service app slots should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Audit, Deny, Disabled 1.0.0
App Service app slots should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Audit, Disabled, Deny 1.0.0
App Service app slots should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Audit, Deny, Disabled 1.0.0
App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Audit, Deny, Disabled 1.0.0
App Service app slots should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. AuditIfNotExists, Disabled 1.0.0
App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. AuditIfNotExists, Disabled 1.0.3
App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. AuditIfNotExists, Disabled 1.0.4
App Service app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.1
App Service app slots should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 1.0.0
App Service app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 1.0.0
App Service app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 2.0.0
App Service app slots should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 1.0.0
App Service app slots should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Audit, Disabled 1.0.0
App Service app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0
App Service app slots should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 1.0.0
App Service app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.1.0
App Service app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. AuditIfNotExists, Disabled 1.0.0
App Service app slots that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. AuditIfNotExists, Disabled 1.0.0
App Service app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. AuditIfNotExists, Disabled 1.0.0
App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Audit, Deny, Disabled 3.0.0
App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Audit, Disabled, Deny 1.1.0
App Service apps should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Audit, Deny, Disabled 1.0.0
App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Audit, Deny, Disabled 1.0.0
App Service apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. AuditIfNotExists, Disabled 2.0.1
App Service apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. AuditIfNotExists, Disabled 1.0.0
App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. AuditIfNotExists, Disabled 1.0.3
App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. AuditIfNotExists, Disabled 1.0.3
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Audit, Deny, Disabled 4.1.0
App Service apps should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Audit, Disabled 3.0.0
App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 4.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
App Service apps should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. AuditIfNotExists, Disabled 1.0.1
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.1.0
App Service apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. AuditIfNotExists, Disabled 3.1.0
App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. AuditIfNotExists, Disabled 3.2.0
App Service apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. AuditIfNotExists, Disabled 4.1.0
App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Audit, Deny, Disabled 3.0.0
App Service Environment should be configured with strongest TLS Cipher suites The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Audit, Disabled 1.0.0
App Service Environment should be provisioned with latest versions Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. Audit, Deny, Disabled 1.0.0
App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Audit, Disabled 1.0.1
App Service Environment should have TLS 1.0 and 1.1 disabled TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Audit, Deny, Disabled 2.0.1
Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. DeployIfNotExists, Disabled 1.0.3
Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. DeployIfNotExists, Disabled 1.0.3
Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Modify, Disabled 1.1.0
Configure App Service app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Modify, Disabled 2.0.0
Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. DeployIfNotExists, Disabled 1.1.0
Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. DeployIfNotExists, Disabled 1.2.0
Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. DeployIfNotExists, Disabled 1.0.3
Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. DeployIfNotExists, Disabled 1.0.3
Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Modify, Disabled 1.1.0
Configure App Service apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Modify, Disabled 2.0.0
Configure App Service apps to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. DeployIfNotExists, Disabled 1.0.0
Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. DeployIfNotExists, Disabled 1.0.1
Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. DeployIfNotExists, Disabled 1.1.0
Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Modify, Disabled 1.1.0
Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Modify, Disabled 2.0.0
Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. DeployIfNotExists, Disabled 1.1.0
Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. DeployIfNotExists, Disabled 1.2.0
Configure Function apps to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Modify, Disabled 1.1.0
Configure Function apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Modify, Disabled 2.0.0
Configure Function apps to turn off remote debugging Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. DeployIfNotExists, Disabled 1.0.0
Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. DeployIfNotExists, Disabled 1.1.0
Function app slots should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. Audit, Disabled, Deny 1.0.0
Function app slots should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. AuditIfNotExists, Disabled 1.0.0
Function app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Function app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 1.0.0
Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 2.0.0
Function app slots should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 1.0.0
Function app slots should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Audit, Disabled 1.0.0
Function app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 1.0.0
Function app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 1.1.0
Function app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. AuditIfNotExists, Disabled 1.0.0
Function app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. AuditIfNotExists, Disabled 1.0.0
Function apps should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. Audit, Disabled, Deny 1.0.0
Function apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. AuditIfNotExists, Disabled 3.0.0
Function apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. AuditIfNotExists, Disabled 1.0.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 2.0.0
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
Function apps should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Audit, Disabled 3.0.0
Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. AuditIfNotExists, Disabled 4.0.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.1.0
Function apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. AuditIfNotExists, Disabled 3.1.0
Function apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. AuditIfNotExists, Disabled 4.1.0

Attestation

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Attestation providers should disable public network access To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 1.0.0
Azure Attestation providers should use private endpoints Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. AuditIfNotExists, Disabled 1.0.0

Automanage

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: A managed identity should be enabled on your machines Resources managed by Automanage should have a managed identity. Audit, Disabled 1.0.0-preview
[Preview]: Automanage Configuration Profile Assignment should be Conformant Resources managed by Automanage should have a status of Conformant or ConformantCorrected. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Boot Diagnostics should be enabled on virtual machines Azure virtual machines should have boot diagniostics enabled. Audit, Disabled 1.0.0-preview
Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. AuditIfNotExists, DeployIfNotExists, Disabled 2.4.0
Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. AuditIfNotExists, DeployIfNotExists, Disabled 1.4.0
Hotpatch should be enabled for Windows Server Azure Edition VMs Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch Audit, Deny, Disabled 1.0.0

Automation

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automation Account should have Managed Identity Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . Audit, Disabled 1.0.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Automation accounts should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. Audit, Deny, Disabled 1.0.0
Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Audit, Deny, Disabled 1.0.0
Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. Audit, Deny, Disabled 1.0.0
Configure Azure Automation account to disable local authentication Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Modify, Disabled 1.0.0
Configure Azure Automation accounts to disable public network access Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Modify, Disabled 1.0.0
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure private endpoint connections on Azure Automation accounts Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. DeployIfNotExists, Disabled 1.0.0
Private endpoint connections on Automation Accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security AuditIfNotExists, Disabled 1.0.0

Azure Active Directory

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Audit, Deny, Disabled 1.1.0

Azure AI Services

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Audit, Deny, Disabled 1.1.0
Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Audit, Deny, Disabled 3.2.0
Azure AI Services resources should use Azure Private Link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview Audit, Disabled 1.0.0
Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth DeployIfNotExists, Disabled 1.0.0
Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth DeployIfNotExists, Disabled 1.0.0
Diagnostic logs in Azure AI services resources should be enabled Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised AuditIfNotExists, Disabled 1.0.0

Azure Arc

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Deny Extended Security Updates (ESUs) license creation or modification. This policy enables you to restrict the creation or modification of ESU licenses for Windows Server 2012 Arc machines. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing Deny, Disabled 1.0.0-preview
[Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected even after their support lifecycle has ended. Learn How to prepare to deliver Extended Security Updates for Windows Server 2012 through AzureArc please visit https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing DeployIfNotExists, Disabled 1.0.0-preview
Azure Arc Private Link Scopes should be configured with a private endpoint Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Audit, Disabled 1.0.0
Azure Arc Private Link Scopes should disable public network access Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. Audit, Deny, Disabled 1.0.0
Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Audit, Deny, Disabled 1.0.0
Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Audit, Deny, Disabled 1.0.0
Configure Azure Arc Private Link Scopes to disable public network access Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. Modify, Disabled 1.0.0
Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. DeployIfNotExists, Disabled 1.2.0
Configure Azure Arc Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. DeployIfNotExists, Disabled 2.0.0
Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Modify, Disabled 1.0.0
Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Modify, Disabled 1.0.0

Azure Data Explorer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All Database Admin on Azure Data Explorer should be disabled Disable all database admin role to restrict granting highly privileged/administrative user role. Audit, Deny, Disabled 1.0.0
Azure Data Explorer cluster should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. Audit, Disabled 1.0.0
Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Audit, Deny, Disabled 1.0.0
Azure Data Explorer should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Audit, Deny, Disabled 1.0.0
Configure Azure Data Explorer clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. DeployIfNotExists, Disabled 1.0.0
Configure Azure Data Explorer to disable public network access Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . Modify, Disabled 1.0.0
Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Audit, Deny, Disabled 2.0.0
Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 2.0.0
Public network access on Azure Data Explorer should be disabled Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.0.0
Virtual network injection should be enabled for Azure Data Explorer Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. Audit, Deny, Disabled 1.0.0

Azure Databricks

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Databricks Clusters should disable public IP Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. Audit, Deny, Disabled 1.0.1
Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Audit, Deny, Disabled 1.0.2
Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Audit, Deny, Disabled 1.0.1
Azure Databricks Workspaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. Audit, Deny, Disabled 1.0.1
Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Audit, Disabled 1.0.2
Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. DeployIfNotExists, Disabled 1.0.1
Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. DeployIfNotExists, Disabled 1.0.2
Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.1
Resource logs in Azure Databricks Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. AuditIfNotExists, Disabled 1.0.1

Azure Edge Hardware Center

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Edge Hardware Center devices should have double encryption support enabled Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. Audit, Deny, Disabled 2.0.0

Azure Load Testing

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Load tests using Azure Load Testing should be run only against private endpoints from within a virtual network. Azure Load Testing engine instances should use virtual network injection for the following purposes: 1. Isolate Azure Load Testing engines to a virtual network. 2. Enable Azure Load Testing engines to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Load Testing engines. Audit, Deny, Disabled 1.0.0-preview
Azure load testing resource should use customer-managed keys to encrypt data at rest Use customer-managed keys(CMK) to manage the encryption at rest for your Azure Load Testing resource. By default the encryptio is done using Service managed keys, customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/load-testing/how-to-configure-customer-managed-keys?tabs=portal. Audit, Deny, Disabled 1.0.0

Azure Purview

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Purview accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. Audit, Disabled 1.0.0

Azure Stack Edge

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. audit, Audit, deny, Deny, disabled, Disabled 1.1.0

Azure Update Manager

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines. This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites DeployIfNotExists, Disabled 1.1.0-preview
Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. modify 2.3.0
Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. modify 4.8.0
Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Audit, Deny, Disabled 3.7.0
Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching DeployIfNotExists, Disabled 3.12.0

Backup

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Backup Extension should be installed in AKS clusters Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Backup should be enabled for AKS clusters Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Backup should be enabled for Blobs in Storage Accounts Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Backup should be enabled for Managed Disks Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption. This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk. Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Recovery Services vaults should disable public network access Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Recovery Services vaults should use private link for backup Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Audit, Disabled 2.0.0-preview
[Preview]: Configure Azure Recovery Services vaults to disable public network access Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Modify, Disabled 1.0.0-preview
[Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region Enforce backup for all Azure Disks (Managed Disks) that contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region Enforce backup for all Azure Disks (Managed Disks) that do not contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies DeployIfNotExists, AuditIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies DeployIfNotExists, AuditIfNotExists, Disabled 2.0.0-preview
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. DeployIfNotExists, Disabled 1.0.1-preview
[Preview]: Configure Recovery Services vaults to use private endpoints for backup Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. Modify, Disabled 1.1.0-preview
[Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Modify, Disabled 1.1.0-preview
[Preview]: Do not allow creation of Recovery Services vaults of chosen storage redundancy. Recovery Services vaults can be created with any one of three storage redundancy options today, namely, Locally-redundant Storage, Zone-redundant storage and Geo-redundant storage. If the policies in your organization requires you to block the creation of vaults that belong to a certain redundancy type, you may achieve the same using this Azure policy. Deny, Disabled 1.0.0-preview
[Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Audit, Disabled 1.0.1-preview
[Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Audit, Disabled 1.0.1-preview
[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag. Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale. AuditIfNotExists, DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag. Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale. AuditIfNotExists, DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Multi-User Authorization (MUA) must be enabled for Backup Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Backup Vaults. MUA helps in securing your Backup Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/mua-for-bv. Audit, Disabled 1.0.0-preview
[Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV. Audit, Disabled 1.0.0-preview
[Preview]: Soft delete must be enabled for Recovery Services Vaults. This policy audits if soft delete is enabled for Recovery Services Vaults in the scope. Soft delete can help you recover your data even after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete. Audit, Disabled 1.0.0-preview
[Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete Audit, Disabled 1.0.0-preview
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 9.4.0
Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. deployIfNotExists 1.0.2

Batch

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Batch account should use customer-managed keys to encrypt data Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Audit, Deny, Disabled 1.0.1
Azure Batch pools should have disk encryption enabled Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. Audit, Disabled, Deny 1.0.0
Batch accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Audit, Deny, Disabled 1.0.0
Configure Batch accounts to disable local authentication Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Modify, Disabled 1.0.0
Configure Batch accounts to disable public network access Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Modify, Disabled 1.0.0
Configure Batch accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. DeployIfNotExists, Disabled 1.0.0
Metric alert rules should be configured on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric AuditIfNotExists, Disabled 1.0.0
Private endpoint connections on Batch accounts should be enabled Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. AuditIfNotExists, Disabled 1.0.0
Public network access should be disabled for Batch accounts Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Audit, Deny, Disabled 1.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Bot Service

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Bot Service endpoint should be a valid HTTPS URI Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. audit, Audit, deny, Deny, disabled, Disabled 2.1.0
Bot Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. Audit, Deny, Disabled 1.0.0
Bot Service should have public network access disabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Audit, Deny, Disabled 1.0.0
BotService resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. Audit, Disabled 1.0.0
Configure BotService resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure BotService resources with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. DeployIfNotExists, Disabled 1.0.0

Cache

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data Use customer-managed keys (CMK) to manage the encryption at rest of your on-disk data. By default, customer data is encrypted with platform-managed keys (PMK), but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/RedisCMK. Audit, Deny, Disabled 1.0.0
Azure Cache for Redis Enterprise should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cache for Redis should disable public network access Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Audit, Deny, Disabled 1.0.0
Azure Cache for Redis should not use access keys for authentication Not using local authentication methods like access keys and using more secure alternatives like Microsoft Entra ID (recommended) improves security for your Azure Cache for Redis. Learn more at aka.ms/redis/disableAccessKeyAuthentication Audit, Deny, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Configure Azure Cache for Redis Enterprise to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis Enterprise. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure Azure Cache for Redis Enterprise with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. DeployIfNotExists, Disabled 1.1.0
Configure Azure Cache for Redis to disable non SSL ports Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Modify, Disabled 1.0.0
Configure Azure Cache for Redis to disable public network access Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. Modify, Disabled 1.0.0
Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure Azure Cache for Redis with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. DeployIfNotExists, Disabled 1.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0

CDN

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. Audit, Deny, Disabled 1.0.0
Azure Front Door Standard and Premium should be running minimum TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. Audit, Deny, Disabled 1.0.0
Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. Audit, Disabled 1.0.0

ChangeTrackingAndInventory

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Linux Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.3.0-preview
[Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.5.0-preview
[Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.4.0-preview
[Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.1.0-preview
[Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.1.0-preview

Cognitive Services

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. Audit, Deny, Disabled 2.2.0
Cognitive Services accounts should use a managed identity Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. Audit, Deny, Disabled 1.0.0
Cognitive Services accounts should use customer owned storage Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. Audit, Deny, Disabled 2.0.0
Configure Cognitive Services accounts to disable local authentication methods Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Modify, Disabled 1.0.0
Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Disabled, Modify 3.0.0
Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. DeployIfNotExists, Disabled 1.0.0
Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. DeployIfNotExists, Disabled 3.0.0

Communication

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Communication service resource should use a managed identity Assigning a managed identity to your Communication service resource helps ensure secure authentication. This identity is used by this Communication service resource to communicate with other Azure services, like Azure Storage, in a secure way without you having to manage any credentials. Audit, Deny, Disabled 1.0.0
Communication service resource should use allow listed data location Create a Communication service resource only from an allow listed data location. This data location determines where the data of the communication service resource will be stored at rest, ensuring your preferred allow listed data locations as this cannot be changed after resource creation. Audit, Deny, Disabled 1.0.0

Compute

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Deny 1.0.1
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. DeployIfNotExists, Disabled 2.1.0
Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. DeployIfNotExists, Disabled 1.0.0
Configure disk access resources with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. DeployIfNotExists, Disabled 1.0.0
Configure managed disks to disable public network access Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Modify, Disabled 2.0.0
Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. deployIfNotExists 1.1.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Audit, Deny, Disabled 1.0.0
Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Audit, Disabled 2.0.0
Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. Audit, Deny, Disabled 2.0.0
Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, Disabled 1.0.0
Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. AuditIfNotExists, Disabled 1.1.0
Only approved VM extensions should be installed This policy governs the virtual machine extensions that are not approved. Audit, Deny, Disabled 1.0.0
OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Audit, Deny, Disabled 3.0.0
Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth. Modify, Disabled 1.0.0
Require automatic OS image patching on Virtual Machine Scale Sets This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month. deny 1.0.0
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Audit, Deny, Disabled 1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Container Apps

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authentication should be enabled on Container Apps Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App AuditIfNotExists, Disabled 1.0.1
Container App environments should use network injection Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Audit, Disabled, Deny 1.0.2
Container App should configure with volume mount Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. Audit, Deny, Disabled 1.0.1
Container Apps environment should disable public network access Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Audit, Deny, Disabled 1.1.0
Container Apps should disable external network access Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. Audit, Deny, Disabled 1.0.1
Container Apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. Audit, Deny, Disabled 1.0.1
Managed Identity should be enabled for Container Apps Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication Audit, Deny, Disabled 1.0.1

Container Instance

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Container Instance container group should deploy into a virtual network Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. Audit, Disabled, Deny 2.0.0
Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled, Deny 1.0.0
Configure diagnostic settings for container groups to Log Analytics workspace Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0

Container Instances

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure diagnostics for container group to log analytics workspace Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. Append, Disabled 1.0.0

Container Registry

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure container registries to disable anonymous authentication. Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Modify, Disabled 1.0.0
Configure container registries to disable ARM audience token authentication. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Modify, Disabled 1.0.0
Configure container registries to disable local admin account. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Modify, Disabled 1.0.1
Configure Container registries to disable public network access Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Modify, Disabled 1.0.0
Configure container registries to disable repository scoped access token. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Modify, Disabled 1.0.0
Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. DeployIfNotExists, Disabled 1.0.1
Configure Container registries with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. DeployIfNotExists, Disabled 1.0.0
Container registries should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Audit, Deny, Disabled 1.1.2
Container registries should have anonymous authentication disabled. Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Audit, Deny, Disabled 1.0.0
Container registries should have ARM audience token authentication disabled. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Audit, Deny, Disabled 1.0.0
Container registries should have exports disabled Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. Audit, Deny, Disabled 1.0.0
Container registries should have local admin account disabled. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Audit, Deny, Disabled 1.0.1
Container registries should have repository scoped access token disabled. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Audit, Deny, Disabled 1.0.0
Container registries should have SKUs that support Private Links Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. Audit, Deny, Disabled 1.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Audit, Deny, Disabled 2.0.0
Container registries should prevent cache rule creation Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://aka.ms/acr/cache. Audit, Deny, Disabled 1.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
Public network access should be disabled for Container registries Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Audit, Deny, Disabled 1.0.0

Cosmos DB

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.1.0
Azure Cosmos DB accounts should not allow traffic from all Azure data centers Disallow the IP Firewall rule, '0.0.0.0', which allows for all traffic from any Azure data centers. Learn more at https://aka.ms/cosmosdb-firewall Audit, Deny, Disabled 1.0.0
Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration. Regenerate your keys in the specified time to keep your data more protected. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. [parameters('policyEffect')] 1.1.0
Azure Cosmos DB key based metadata write access should be disabled This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. append 1.0.0
Azure Cosmos DB should disable public network access Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Audit, Deny, Disabled 1.0.0
Azure Cosmos DB throughput should be limited This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Modify, Disabled 1.1.0
Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Modify, Disabled 1.0.1
Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 2.0.0
Configure CosmosDB accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. DeployIfNotExists, Disabled 1.0.0
Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Audit, Deny, Disabled 1.1.0
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Deploy Advanced Threat Protection for Cosmos DB Accounts This policy enables Advanced Threat Protection across Cosmos DB accounts. DeployIfNotExists, Disabled 1.0.0

Custom Provider

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy associations for a custom provider Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. deployIfNotExists 1.0.0

Data Box

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Audit, Deny, Disabled 1.0.0
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. Audit, Deny, Disabled 1.0.0

Data Factory

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Data Factory pipelines should only communicate with allowed domains To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Deny, Disabled 1.0.0-preview
Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Audit, Deny, Disabled 1.0.1
Azure Data Factory integration runtime should have a limit for number of cores To manage your resources and costs, limit the number of cores for an integration runtime. Audit, Deny, Disabled 1.0.0
Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Audit, Deny, Disabled 1.1.0
Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Audit, Deny, Disabled 1.0.0
Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Audit, Deny, Disabled 2.1.0
Azure Data Factory should use a Git repository for source control Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. Audit, Deny, Disabled 1.0.1
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Configure Data Factories to disable public network access Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Modify, Disabled 1.0.0
Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. DeployIfNotExists, Disabled 1.0.0
Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. DeployIfNotExists, Disabled 1.1.0
Public network access on Azure Data Factory should be disabled Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. Audit, Deny, Disabled 1.0.0
SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Audit, Deny, Disabled 2.3.0

Data Lake

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts deny 1.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Desktop Virtualization

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Virtual Desktop hostpools should disable public network access Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. Audit, Deny, Disabled 1.0.0
Azure Virtual Desktop hostpools should disable public network access only on session hosts Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. Audit, Deny, Disabled 1.0.0
Azure Virtual Desktop service should use private link Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. Audit, Disabled 1.0.0
Azure Virtual Desktop workspaces should disable public network access Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Audit, Deny, Disabled 1.0.0
Configure Azure Virtual Desktop hostpool resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure Azure Virtual Desktop hostpools to disable public network access Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Modify, Disabled 1.0.0
Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. Modify, Disabled 1.0.0
Configure Azure Virtual Desktop hostpools with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. DeployIfNotExists, Disabled 1.0.0
Configure Azure Virtual Desktop workspace resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0
Configure Azure Virtual Desktop workspaces to disable public network access Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Modify, Disabled 1.0.0
Configure Azure Virtual Desktop workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. DeployIfNotExists, Disabled 1.0.0

DevCenter

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks. Disallows the use of Microsoft Hosted Networks when creating Pool resources. Audit, Deny, Disabled 1.0.0-preview

DevOpsInfrastructure

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Microsoft Managed DevOps Pools should be provided with valid subnet resource in order to configure with own virtual network. Disallows creating Pool resources if a valid subnet resource is not provided. Audit, Deny, Disabled 1.0.0-preview

ElasticSan

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
ElasticSan should disable public network access Disable public network access for your ElasticSan so that it's not accessible over the public internet. This can reduce data leakage risks. Audit, Deny, Disabled 1.0.0
ElasticSan Volume Group should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default, customer data is encrypted with platform-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Audit, Disabled 1.0.0
ElasticSan Volume Group should use private endpoints Private endpoints lets administrator connect virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to volume group, administrator can reduce data leakage risks Audit, Disabled 1.0.0

Event Grid

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Event Grid domains should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Audit, Deny, Disabled 1.0.0
Azure Event Grid domains should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Audit, Deny, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid namespace MQTT broker should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Audit, Disabled 1.0.0
Azure Event Grid namespace topic broker should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Audit, Disabled 1.0.0
Azure Event Grid namespaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Audit, Deny, Disabled 1.0.0
Azure Event Grid partner namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Audit, Deny, Disabled 1.0.0
Azure Event Grid topics should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Audit, Deny, Disabled 1.0.0
Azure Event Grid topics should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Audit, Deny, Disabled 1.0.0
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Configure Azure Event Grid domains to disable local authentication Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Modify, Disabled 1.0.0
Configure Azure Event Grid namespace MQTT broker with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. DeployIfNotExists, Disabled 1.0.0
Configure Azure Event Grid namespaces with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. DeployIfNotExists, Disabled 1.0.0
Configure Azure Event Grid partner namespaces to disable local authentication Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Modify, Disabled 1.0.0
Configure Azure Event Grid topics to disable local authentication Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Modify, Disabled 1.0.0
Deploy - Configure Azure Event Grid domains to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. deployIfNotExists, DeployIfNotExists, Disabled 1.1.0
Deploy - Configure Azure Event Grid domains with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure Azure Event Grid topics to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. deployIfNotExists, DeployIfNotExists, Disabled 1.1.0
Deploy - Configure Azure Event Grid topics with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. DeployIfNotExists, Disabled 1.0.0
Modify - Configure Azure Event Grid domains to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Modify, Disabled 1.0.0
Modify - Configure Azure Event Grid topics to disable public network access Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Modify, Disabled 1.0.0

Event Hub

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you should create access policies at the entity level for queues and topics to provide access to only the specific entity Audit, Deny, Disabled 1.0.1
Authorization rules on the Event Hub instance should be defined Audit existence of authorization rules on Event Hub entities to grant least-privileged access AuditIfNotExists, Disabled 1.0.0
Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Audit, Deny, Disabled 1.0.1
Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Modify, Disabled 1.0.1
Configure Event Hub namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. DeployIfNotExists, Disabled 1.0.0
Configure Event Hub namespaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. DeployIfNotExists, Disabled 1.0.0
Event Hub Namespaces should disable public network access Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service Audit, Deny, Disabled 1.0.0
Event Hub namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 1.0.0
Event Hub namespaces should use a customer-managed key for encryption Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. Audit, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Fluid Relay

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Fluid Relay should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys. Audit, Disabled 1.0.0

General

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. deny 1.0.0
Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. deny 1.0.0
Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. deny 1.0.0
Audit resource location matches resource group location Audit that the resource location matches its resource group location audit 2.0.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Configure subscriptions to set up preview features This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. AuditIfNotExists, DeployIfNotExists, Disabled 1.0.1
Do not allow deletion of resource types This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. DenyAction, Disabled 1.0.1
Do Not Allow M365 resources Block creation of M365 resources. Audit, Deny, Disabled 1.0.0
Do Not Allow MCPP resources Block creation of MCPP resources. Audit, Deny, Disabled 1.0.0
Exclude Usage Costs Resources This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. Audit, Deny, Disabled 1.0.0
Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. Audit, Deny, Disabled 2.0.0

Guest Configuration

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. AuditIfNotExists, DeployIfNotExists, Disabled 2.1.0-preview
[Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. DeployIfNotExists, Disabled 1.2.0-preview
[Preview]: Extended Security Updates should be installed on Windows Server 2012 Arc machines. Windows Server 2012 Arc machines should have installed all the Extended Security Updates released by Microsoft. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.0-preview
[Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. AuditIfNotExists, Disabled 1.2.0-preview
[Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. AuditIfNotExists, Disabled 1.2.0-preview
[Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. AuditIfNotExists, Disabled 1.2.0-preview
[Preview]: Nexus Compute Machines should meet Security Baseline Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). AuditIfNotExists, Disabled 1.1.0-preview
[Preview]: Windows machines should meet STIG compliance requirements for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. AuditIfNotExists, Disabled 1.0.0-preview
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 3.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 3.1.0
Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. AuditIfNotExists, Disabled 4.2.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 3.1.0
Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. AuditIfNotExists, Disabled 4.2.0
Audit SSH security posture for Linux (powered by OSConfig) This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview AuditIfNotExists, Disabled 1.0.1
Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. auditIfNotExists 2.0.0
Audit Windows machines network connectivity Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. auditIfNotExists 2.0.0
Audit Windows machines on which the DSC configuration is not compliant Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. auditIfNotExists 3.0.0
Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. auditIfNotExists 2.0.0
Audit Windows machines on which the specified services are not installed and 'Running' Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. auditIfNotExists 3.0.0
Audit Windows machines on which Windows Serial Console is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. auditIfNotExists 3.0.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that are not joined to the specified domain Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. auditIfNotExists 2.0.0
Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. auditIfNotExists 3.0.0
Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. auditIfNotExists 2.0.0
Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. auditIfNotExists 3.0.0
Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the minimum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. AuditIfNotExists, Disabled 3.0.0
Audit Windows machines that do not have the specified Windows PowerShell modules installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. AuditIfNotExists, Disabled 3.0.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. auditIfNotExists 2.0.0
Audit Windows machines that have extra accounts in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. auditIfNotExists 2.0.0
Audit Windows machines that have not restarted within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. auditIfNotExists 2.0.0
Audit Windows machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. auditIfNotExists 2.0.0
Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. auditIfNotExists 2.0.0
Audit Windows VMs with a pending reboot Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. auditIfNotExists 2.0.0
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. AuditIfNotExists, Disabled 3.2.0
Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. DeployIfNotExists, Disabled 1.3.0-preview
Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. DeployIfNotExists, Disabled 1.0.1
Configure SSH security posture for Linux (powered by OSConfig) This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview DeployIfNotExists, Disabled 1.0.1
Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. deployIfNotExists 2.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 2.2.0
Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. AuditIfNotExists, Disabled 2.2.0
Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.2.1
Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. AuditIfNotExists, Disabled 1.2.0-preview
Local authentication methods should be disabled on Windows Servers Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. AuditIfNotExists, Disabled 1.0.0-preview
Private endpoints for Guest Configuration assignments should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Audit, Deny, Disabled 1.1.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 2.0.0
Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. AuditIfNotExists, Disabled 4.1.1
Windows machines should configure Windows Defender to update protection signatures within one day To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Windows machines should enable Windows Defender Real-time protection Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Windows machines should meet requirements for 'Administrative Templates - Control Panel' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Administrative Templates - Network' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Administrative Templates - System' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Devices' Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Microsoft Network Client' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Network Security' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - Shutdown' Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - System objects' Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - System settings' Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Security Settings - Account Policies' Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'System Audit Policies - System' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Windows Components' Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0
Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 2.0.0
Windows machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. AuditIfNotExists, Disabled 2.0.0
Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.1.1

HDInsight

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure HDInsight clusters should be injected into a virtual network Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. Audit, Disabled, Deny 1.0.0
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. Audit, Deny, Disabled 1.0.1
Azure HDInsight clusters should use encryption at host to encrypt data at rest Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Audit, Deny, Disabled 1.0.0
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Audit, Deny, Disabled 1.0.0
Azure HDInsight should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. AuditIfNotExists, Disabled 1.0.0
Configure Azure HDInsight clusters to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. DeployIfNotExists, Disabled 1.0.0
Configure Azure HDInsight clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. DeployIfNotExists, Disabled 1.0.0

Health Bot

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Health Bots should use customer-managed keys to encrypt data at rest Use customer-managed keys (CMK) to manage the encryption at rest of the data of your healthbots. By default, the data is encrypted at rest with service-managed keys, but CMK are commonly required to meet regulatory compliance standards. CMK enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/health-bot/cmk Audit, Disabled 1.0.0

Health Data Services workspace

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Health Data Services workspace should use private link Health Data Services workspace should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/healthcareapisprivatelink. Audit, Disabled 1.0.0

Health Deidentification Service

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Health Data Services de-identification service should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Audit, Disabled 1.0.0
Azure Health Data Services de-identification service should use private link Azure Health Data Services de-identification service should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Audit, Disabled 1.0.0

Healthcare APIs

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
CORS should not allow every domain to access your FHIR Service Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. audit, Audit, disabled, Disabled 1.1.0
DICOM Service should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services DICOM Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Audit, Disabled 1.0.0
FHIR Service should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services FHIR Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Audit, Disabled 1.0.0

Internet of Things

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk. Audit, Deny, Disabled 1.0.0-preview
[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. Audit, Deny, Disabled 1.0.0-preview
Azure Device Update accounts should use customer-managed key to encrypt data at rest Encryption of data at rest in Azure Device Update with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Learn more at:https://learn.microsoft.com/azure/iot-hub-device-update/device-update-data-encryption. Audit, Deny, Disabled 1.0.0
Azure Device Update for IoT Hub accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced. AuditIfNotExists, Disabled 1.0.0
Azure IoT Hub should have local authentication methods disabled for Service Apis Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Audit, Deny, Disabled 1.0.0
Configure Azure Device Update for IoT Hub accounts to disable public network access Disabling the public network access property improves security by ensuring your Device Update for IoT Hub can only be accessed from a private endpoint. This policy disables public network access on Device Update for IoT Hub resources. Modify, Disabled 1.0.0
Configure Azure Device Update for IoT Hub accounts to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. DeployIfNotExists, Disabled 1.0.0
Configure Azure Device Update for IoT Hub accounts with private endpoint A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. DeployIfNotExists, Disabled 1.1.0
Configure Azure IoT Hub to disable local authentication Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Modify, Disabled 1.0.0
Configure IoT Hub device provisioning instances to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. DeployIfNotExists, Disabled 1.0.0
Configure IoT Hub device provisioning service instances to disable public network access Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet. Modify, Disabled 1.0.0
Configure IoT Hub device provisioning service instances with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure Azure IoT Hubs to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. deployIfNotExists, DeployIfNotExists, disabled, Disabled 1.1.0
Deploy - Configure Azure IoT Hubs with private endpoints A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure IoT Central to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure IoT Central with private endpoints A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT Central to allow services inside your virtual network to reach IoT Central without requiring traffic to be sent to IoT Central's public endpoint. DeployIfNotExists, Disabled 1.0.0
IoT Central should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your IoT Central application instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/iotcentral-network-security-using-pe. Audit, Deny, Disabled 1.0.0
IoT Hub device provisioning service instances should disable public network access Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet. Audit, Deny, Disabled 1.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
Modify - Configure Azure IoT Hubs to disable public network access Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Modify, Disabled 1.0.0
Modify - Configure IoT Central to disable public network access Disabling the public network access property improves security by ensuring your IoT Central can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Modify, Disabled 1.0.0
Private endpoint should be enabled for IoT Hub Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Audit, Disabled 1.0.0
Public network access for Azure Device Update for IoT Hub accounts should be disabled Disabling the public network access property improves security by ensuring your Azure Device Update for IoT Hub accounts can only be accessed from a private endpoint. Audit, Deny, Disabled 1.0.0
Public network access on Azure IoT Hub should be disabled Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. Audit, Deny, Disabled 1.0.0
Public network access should be disabled for IoT Central To improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 1.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.1.0

Key Vault

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Key Vault Managed HSM keys should have an expiration date To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.1-preview
[Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Audit, Deny, Disabled 1.0.1-preview
[Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Audit, Deny, Disabled 1.0.1-preview
[Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Audit, Deny, Disabled 1.0.1-preview
[Preview]: Azure Key Vault Managed HSM should disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Key Vault Managed HSM should use private link Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link Audit, Disabled 1.0.0-preview
[Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault. Audit, Deny, Disabled 1.0.0-preview
[Preview]: Configure Azure Key Vault Managed HSM to disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Modify, Disabled 2.0.0-preview
[Preview]: Configure Azure Key Vault Managed HSM with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. DeployIfNotExists, Disabled 1.0.0-preview
Azure Key Vault Managed HSM should have purge protection enabled Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. Audit, Deny, Disabled 1.0.0
Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Audit, Deny, Disabled 1.1.0
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 3.2.1
Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration Audit, Deny, Disabled 1.0.1
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. [parameters('audit_effect')] 1.2.1
Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. audit, Audit, deny, Deny, disabled, Disabled 2.1.0
Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. audit, Audit, deny, Deny, disabled, Disabled 2.1.1
Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. audit, Audit, deny, Deny, disabled, Disabled 2.1.0
Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. audit, Audit, deny, Deny, disabled, Disabled 2.2.1
Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. audit, Audit, deny, Deny, disabled, Disabled 2.1.1
Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. audit, Audit, deny, Deny, disabled, Disabled 2.1.0
Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. audit, Audit, deny, Deny, disabled, Disabled 2.1.0
Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. audit, Audit, deny, Deny, disabled, Disabled 2.1.0
Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. DeployIfNotExists, Disabled 1.0.1
Configure Azure Key Vaults with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. DeployIfNotExists, Disabled 1.0.1
Configure key vaults to enable firewall Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Modify, Disabled 1.1.1
Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.1
Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 3.0.1
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.2
Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Audit, Deny, Disabled 1.0.2
Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Audit, Deny, Disabled 2.1.0
Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Audit, Deny, Disabled 3.0.0
Keys should be backed by a hardware security module (HSM) An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Audit, Deny, Disabled 1.0.1
Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Audit, Deny, Disabled 1.0.1
Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Audit, Disabled 1.0.0
Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Audit, Deny, Disabled 1.0.1
Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Audit, Deny, Disabled 1.0.1
Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Audit, Deny, Disabled 1.0.1
Keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Audit, Deny, Disabled 1.0.1
Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Audit, Deny, Disabled 1.0.1
Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. AuditIfNotExists, Disabled 1.1.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Secrets should have content type set A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Audit, Deny, Disabled 1.0.1
Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Audit, Deny, Disabled 1.0.1
Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Audit, Deny, Disabled 1.0.1
Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Audit, Deny, Disabled 1.0.1

Kubernetes

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: [Image Integrity] Kubernetes clusters should only use images signed by notation Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity Audit, Disabled 1.1.0-preview
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 6.0.0-preview
[Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Audit, Deny, Disabled 1.3.0-preview
[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. DeployIfNotExists, Disabled 7.3.0-preview
[Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity DeployIfNotExists, Disabled 1.0.5-preview
[Preview]: Kubernetes cluster container images must include the preStop hook Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. Audit, Deny, Disabled 1.1.0-preview
[Preview]: Kubernetes cluster container images should not include latest image tag Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. Audit, Deny, Disabled 1.1.0-preview
[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Audit, Deny, Disabled 1.2.0-preview
[Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Audit, Deny, Disabled 1.2.0-preview
[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Audit, Deny, Disabled 1.3.0-preview
[Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Audit, Deny, Disabled 2.3.0-preview
[Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Audit, Deny, Disabled 1.2.0-preview
[Preview]: Mutate K8s Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers Mutate, Disabled 1.1.0-preview
[Preview]: Mutate K8s Init Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers Mutate, Disabled 1.1.0-preview
[Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with kubernetes.azure.com to denote AKS owned components. The customer should not use these labels. Audit, Deny, Disabled 1.2.0-preview
[Preview]: Prevents containers from being ran as root by setting runAsNotRoot to true. Setting runAsNotRoot to true increases security by preventing containers from being ran as root. Mutate, Disabled 1.0.0-preview
[Preview]: Prevents init containers from being ran as root by setting runAsNotRoot to true. Setting runAsNotRoot to true increases security by preventing containers from being ran as root. Mutate, Disabled 1.0.0-preview
[Preview]: Prints a message if a mutation is applied Looks up the mutation annotations applied and prints a message if annotation exists. Audit, Disabled 1.1.0-preview
[Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Audit, Deny, Disabled 1.2.0-preview
[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Mutate, Disabled 1.2.0-preview
[Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens Mutate, Disabled 1.1.0-preview
[Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Mutate, Disabled 1.0.0-preview
[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Mutate, Disabled 1.2.0-preview
[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Mutate, Disabled 1.2.0-preview
[Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Mutate, Disabled 1.1.0-preview
[Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Mutate, Disabled 1.0.0-preview
[Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Mutate, Disabled 1.1.0-preview
[Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Mutate, Disabled 1.0.0-preview
[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Mutate, Disabled 1.2.0-preview
[Preview]: Sets Privilege escalation in the Pod spec in init containers to false. Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Mutate, Disabled 1.1.0-preview
[Preview]: Sets Privilege escalation in the Pod spec to false. Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Mutate, Disabled 1.1.0-preview
[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Mutate, Disabled 1.2.0-preview
[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Mutate, Disabled 1.2.0-preview
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. AuditIfNotExists, Disabled 1.1.0
Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Azure Kubernetes Clusters should disable SSH Disable SSH gives you the ability to secure your cluster and reduce the attack surface. To learn more, visit: aka.ms/aks/disablessh Audit, Disabled 1.0.0
Azure Kubernetes Clusters should enable Container Storage Interface(CSI) The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver Audit, Disabled 1.0.0
Azure Kubernetes Clusters should enable Key Management Service (KMS) Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. Audit, Disabled 1.0.0
Azure Kubernetes Clusters should use Azure CNI Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni Audit, Disabled 1.0.1
Azure Kubernetes Service Clusters should disable Command Invoke Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control Audit, Disabled 1.0.1
Azure Kubernetes Service Clusters should enable cluster auto-upgrade AKS cluster auto-upgrade can ensure your clusters are up to date and don't miss the latest features or patches from AKS and upstream Kubernetes. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster. Audit, Disabled 1.0.0
Azure Kubernetes Service Clusters should enable Image Cleaner Image Cleaner performs automatic vulnerable, unused image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up. Learn more at: https://aka.ms/aks/image-cleaner. Audit, Disabled 1.0.0
Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Audit, Disabled 1.0.2
Azure Kubernetes Service Clusters should enable node os auto-upgrade AKS node OS auto-upgrade controls node-level OS security updates. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Audit, Disabled 1.0.0
Azure Kubernetes Service Clusters should enable workload identity Workload identity allows to assign a unique identity to each Kubernetes Pod and associate it with Azure AD protected resources such as Azure Key Vault, enabling secure access to these resources from within the Pod. Learn more at: https://aka.ms/aks/wi. Audit, Disabled 1.0.0
Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Audit, Disabled 2.0.1
Azure Kubernetes Service Clusters should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. Audit, Deny, Disabled 1.0.1
Azure Kubernetes Service Clusters should use managed identities Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities Audit, Disabled 1.0.1
Azure Kubernetes Service Private Clusters should be enabled Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit, Disabled 1.0.2
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1
Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. DeployIfNotExists, Disabled 1.1.0
Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. DeployIfNotExists, Disabled 4.3.0
Configure installation of Flux extension on Kubernetes cluster Install Flux extension on Kubernetes cluster to enable deployment of 'fluxconfigurations' in the cluster DeployIfNotExists, Disabled 1.0.0
Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires a Bucket SecretKey stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. DeployIfNotExists, Disabled 1.0.0
Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS CA Certificate. For instructions, visit https://aka.ms/GitOpsFlux2Policy. DeployIfNotExists, Disabled 1.0.1
Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. DeployIfNotExists, Disabled 1.0.0
Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. DeployIfNotExists, Disabled 1.0.0
Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a SSH private key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. DeployIfNotExists, Disabled 1.0.0
Configure Kubernetes clusters with Flux v2 configuration using public Git repository Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires no secrets. For instructions, visit https://aka.ms/GitOpsFlux2Policy. DeployIfNotExists, Disabled 1.0.0
Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. DeployIfNotExists, Disabled 1.0.0
Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 1.1.0
Configure Kubernetes clusters with specified GitOps configuration using no secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 1.1.0
Configure Kubernetes clusters with specified GitOps configuration using SSH secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 1.1.0
Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. DeployIfNotExists, Disabled 2.1.0
Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. DeployIfNotExists, Disabled 1.0.1
Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. DeployIfNotExists, Disabled 3.0.0
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. DeployIfNotExists, Disabled 4.1.0
Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner DeployIfNotExists, Disabled 1.0.4
Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster DeployIfNotExists, Disabled 1.2.0
Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Audit, Deny, Disabled 3.3.0
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 9.3.0
Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 5.2.0
Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.2.0
Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.2.0
Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.2.0
Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 9.3.0
Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 8.2.0
Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Audit, Deny, Disabled 3.2.0
Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.2.0
Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.3.0
Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 5.2.0
Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.2.0
Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.2.0
Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.2.0
Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 5.2.0
Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.2.0
Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.2.0
Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 8.2.0
Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 5.2.0
Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 9.2.0
Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Audit, Deny, Disabled 2.3.0
Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Audit, Deny, Disabled 2.2.0
Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Audit, Deny, Disabled 1.2.0
Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Audit, Deny, Disabled 2.2.0
Kubernetes cluster Windows pods should not run HostProcess containers Prevent prviledged access to the windows node. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Audit, Deny, Disabled 1.0.0
Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc audit, Audit, deny, Deny, disabled, Disabled 8.2.0
Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 4.2.0
Kubernetes clusters should ensure that the cluster-admin role is only used where required The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. Audit, Disabled 1.1.0
Kubernetes clusters should minimize wildcard use in role and cluster role Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. Audit, Disabled 1.1.0
Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.2.0
Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Audit, Disabled 3.2.0
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 5.1.0
Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 5.2.0
Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 4.2.0
Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Audit, Deny, Disabled 2.3.0
Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 8.2.0
Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Audit, Deny, Disabled 3.2.0
Resource logs in Azure Kubernetes Service should be enabled Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed AuditIfNotExists, Disabled 1.0.0
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1

Lab Services

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Lab Services should enable all options for auto shutdown This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. Audit, Deny, Disabled 1.1.0
Lab Services should not allow template virtual machines for labs This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. Audit, Deny, Disabled 1.1.0
Lab Services should require non-admin user for labs This policy requires non-admin user accounts to be created for the labs managed through lab-services. Audit, Deny, Disabled 1.1.0
Lab Services should restrict allowed virtual machine SKU sizes This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. Audit, Deny, Disabled 1.1.0

Lighthouse

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Allow managing tenant ids to onboard through Azure Lighthouse Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. deny 1.0.1
Audit delegation of scopes to a managing tenant Audit delegation of scopes to a managing tenant via Azure Lighthouse. Audit, Disabled 1.0.0

Logic Apps

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Logic Apps Integration Service Environment should be encrypted with customer-managed keys Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Audit, Deny, Disabled 1.0.0
Logic Apps should be deployed into Integration Service Environment Deploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements. Audit, Deny, Disabled 1.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.1.0

Machine Learning

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Machine Learning Deployments should only use approved Registry Models Restrict the deployment of Registry models to control externally created models used within your organization Audit, Deny, Disabled 1.0.0-preview
[Preview]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry Only deploy Registry Models in the allowed Registry and that are not restricted. Deny, Disabled 1.0.0-preview
Azure Machine Learning Compute Instance should have idle shutdown. Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity. Audit, Deny, Disabled 1.0.0
Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. [parameters('effects')] 1.0.3
Azure Machine Learning Computes should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Audit, Disabled 1.0.1
Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Audit, Deny, Disabled 2.1.0
Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Audit, Deny, Disabled 1.1.0
Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Audit, Deny, Disabled 2.0.1
Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: https://aka.ms/V1LegacyMode. Audit, Deny, Disabled 1.0.0
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Disabled 1.0.0
Azure Machine Learning workspaces should use user-assigned managed identity Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. Audit, Deny, Disabled 1.0.0
Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Modify, Disabled 2.1.0
Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. DeployIfNotExists, Disabled 1.1.0
Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Modify, Disabled 1.0.3
Configure Azure Machine Learning workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. DeployIfNotExists, Disabled 1.0.0
Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.1
Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. AuditIfNotExists, Disabled 1.0.1

Managed Application

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Application definition for Managed Application should use customer provided storage account Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Deploy associations for a managed application Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. deployIfNotExists 1.0.0

Managed Grafana

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Managed Grafana workspaces should disable email settings Disables SMTP settings configuration of email contact point for alerting in Grafana workspace. Audit, Deny, Disabled 1.0.0
Azure Managed Grafana workspaces should disable Grafana Enterprise upgrade Disables Grafana Enterprise upgrade in Grafana workspace. Audit, Deny, Disabled 1.0.0
Azure Managed Grafana workspaces should disable public network access Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. Audit, Deny, Disabled 1.0.0
Azure Managed Grafana workspaces should disable service account Disables API keys and service account for automated workloads in Grafana workspace. Audit, Deny, Disabled 1.0.0
Azure Managed Grafana workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. Audit, Disabled 1.0.1
Configure Azure Managed Grafana workspaces to disable public network access Disable public network access for your Azure Managed Grafana workspace so that it's not accessible over the public internet. This can reduce data leakage risks. Modify, Disabled 1.0.0
Configure Azure Managed Grafana workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. DeployIfNotExists, Disabled 1.0.0
Configure Azure Managed Grafana workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. DeployIfNotExists, Disabled 1.0.1

Managed Identity

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Managed Identity Federated Credentials from Azure Kubernetes should be from trusted sources This policy limits federeation with Azure Kubernetes clusters to only clusters from approved tenants, approved regions, and a specific exception list of additional clusters. Audit, Disabled, Deny 1.0.0-preview
[Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners This policy limits federation with GitHub repos to only approved repository owners. Audit, Disabled, Deny 1.0.1-preview
[Preview]: Managed Identity Federated Credentials should be from allowed issuer types This policy limits whether Managed Identities can use federated credentials, which common issuer types are allowed, and provides a list of allowed issuer exceptions. Audit, Disabled, Deny 1.0.0-preview
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. AuditIfNotExists, DeployIfNotExists, Disabled 1.1.0-preview
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. AuditIfNotExists, DeployIfNotExists, Disabled 1.1.0-preview

Maps

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
CORS should not allow every resource to access your map account. Cross-Origin Resource Sharing (CORS) should not allow all domains to access your map account. Allow only required domains to interact with your map account. Disabled, Audit, Deny 1.0.0

Media Services

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Media Services accounts should disable public network access Disabling public network access improves security by ensuring that Media Services resources are not exposed on the public internet. Creating private endpoints can limit exposure of Media Services resources. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. Audit, Deny, Disabled 1.0.0
Azure Media Services accounts should use an API that supports Private Link Media Services accounts should be created with an API that supports private link. Audit, Deny, Disabled 1.0.0
Azure Media Services accounts that allow access to the legacy v2 API should be blocked The Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API. Audit, Deny, Disabled 1.0.0
Azure Media Services content key policies should use token authentication Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Microsoft Entra ID. Audit, Deny, Disabled 1.0.1
Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns Restrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. Deny, Disabled 1.0.1
Azure Media Services should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Media Services accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/mediaservicescmkdocs. Audit, Deny, Disabled 1.0.0
Azure Media Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. AuditIfNotExists, Disabled 1.0.0
Configure Azure Media Services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. DeployIfNotExists, Disabled 1.0.0
Configure Azure Media Services with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. DeployIfNotExists, Disabled 1.0.0

Migrate

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Azure Migrate resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. DeployIfNotExists, Disabled 1.0.0

Mobile Network

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs Modify, Disabled 1.0.0
Packet Core Control Plane diagnostic access should only use Microsoft EntraID authentication type Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs Audit, Deny, Disabled 1.0.0
SIM Group should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of SIM secrets in a SIM Group. Customer-managed keys are commonly required to meet regulatory compliance standards and they enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Audit, Deny, Disabled 1.0.0

Monitoring

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. DeployIfNotExists, Disabled 1.0.0-preview
[Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. DeployIfNotExists, Disabled 1.1.0-preview
[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Modify, Disabled 6.0.0-preview
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1-preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Activity log should be retained for at least one year This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists, Disabled 1.0.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists, Disabled 3.0.0
An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Application Insights components should block log ingestion and querying from public networks Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Application Insights components should block non-Azure Active Directory based ingestion. Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. Deny, Audit, Disabled 1.0.0
Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage Deny, Audit, Disabled 1.0.0
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Azure Application Gateway should have Resource logs enabled Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. AuditIfNotExists, Disabled 1.0.0
Azure Front Door should have Resource logs enabled Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. AuditIfNotExists, Disabled 1.0.0
Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. AuditIfNotExists, Disabled 1.0.0
Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Audit, Disabled, Deny 1.0.0
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Monitor Logs clusters should be encrypted with customer-managed key Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Monitor Private Link Scope should block access to non private link resources Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. Audit, Deny, Disabled 1.0.0
Azure Monitor Private Link Scope should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. AuditIfNotExists, Disabled 1.0.0
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 2.0.0
Azure Monitor solution 'Security and Audit' must be deployed This policy ensures that Security and Audit is deployed. AuditIfNotExists, Disabled 1.0.0
Azure subscriptions should have a log profile for Activity Log This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. AuditIfNotExists, Disabled 1.0.0
Configure Azure Activity logs to stream to specified Log Analytics workspace Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events DeployIfNotExists, Disabled 1.0.0
Configure Azure Application Insights components to disable public network access for log ingestion and querying Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Modify, Disabled 1.1.0
Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Modify, Disabled 1.1.0
Configure Azure Monitor Private Link Scope to block access to non private link resources Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. Modify, Disabled 1.0.0
Configure Azure Monitor Private Link Scope to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. DeployIfNotExists, Disabled 1.0.0
Configure Azure Monitor Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. DeployIfNotExists, Disabled 1.0.0
Configure Dependency agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. DeployIfNotExists, Disabled 2.1.0
Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. DeployIfNotExists, Disabled 1.2.0
Configure Dependency agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. DeployIfNotExists, Disabled 2.1.0
Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. DeployIfNotExists, Disabled 1.2.0
Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. DeployIfNotExists, Disabled 2.2.1
Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 2.4.0
Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 6.5.1
Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 4.4.1
Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 3.6.0
Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 3.8.0
Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 4.4.1
Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 3.6.0
Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 3.8.0
Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date DeployIfNotExists, Disabled 2.1.1
Configure Log Analytics extension on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. DeployIfNotExists, Disabled 2.1.1
Configure Log Analytics workspace and automation account to centralize logs and monitoring Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. DeployIfNotExists, AuditIfNotExists, Disabled 2.0.0
Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. DeployIfNotExists, Disabled 2.2.1
Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 2.4.0
Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 4.5.1
Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 3.3.1
Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 3.4.0
Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.6.0
Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. DeployIfNotExists, Disabled 3.3.1
Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 4.4.0
Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. DeployIfNotExists, Disabled 1.6.0
Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. AuditIfNotExists, Disabled 2.0.0
Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. DeployIfNotExists, Disabled 3.2.0
Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. DeployIfNotExists, Disabled 3.2.0
Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. DeployIfNotExists, Disabled 3.1.0
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. DeployIfNotExists, Disabled 3.1.0
Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. deployIfNotExists 5.1.0
Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. DeployIfNotExists, Disabled 3.2.0
Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. deployIfNotExists 5.1.0
Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. DeployIfNotExists, Disabled 3.2.0
Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. DeployIfNotExists, Disabled 1.3.0
Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. DeployIfNotExists, Disabled 1.3.0
Deploy Diagnostic Settings for Batch Account to Event Hub Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.1.0
Deploy Diagnostic Settings for Data Lake Analytics to Event Hub Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Event Hub to Event Hub Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.1.0
Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 3.0.0
Deploy Diagnostic Settings for Logic Apps to Event Hub Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. deployIfNotExists 2.0.1
Deploy Diagnostic Settings for Search Services to Event Hub Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Search Services to Log Analytics workspace Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Service Bus to Event Hub Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.1.0
Deploy Diagnostic Settings for Stream Analytics to Event Hub Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date deployIfNotExists 3.0.0
Deploy Log Analytics extension for Linux VMs. See deprecation notice below Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date deployIfNotExists 3.0.0
Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Analysis Services (microsoft.analysisservices/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Analysis Services (microsoft.analysisservices/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Analysis Services (microsoft.analysisservices/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service (microsoft.web/sites). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Service Environments (microsoft.web/hostingenvironments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service Environments (microsoft.web/hostingenvironments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Service Environments (microsoft.web/hostingenvironments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application gateways (microsoft.network/applicationgateways). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application gateways (microsoft.network/applicationgateways). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application gateways (microsoft.network/applicationgateways). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Application group (microsoft.desktopvirtualization/applicationgroups). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application groups (microsoft.desktopvirtualization/applicationgroups). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application groups (microsoft.desktopvirtualization/applicationgroups). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application groups (microsoft.desktopvirtualization/applicationgroups). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application Insights (microsoft.insights/components). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application Insights (microsoft.insights/components) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (microsoft.insights/components). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves) Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.1
Enable logging by category group for Application Insights (microsoft.insights/components) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application Insights (microsoft.insights/components). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure AD Domain Services (microsoft.aad/domainservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure AD Domain Services (microsoft.aad/domainservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure AD Domain Services (microsoft.aad/domainservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure API for FHIR (microsoft.healthcareapis/services). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure API for FHIR (microsoft.healthcareapis/services). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure API for FHIR (microsoft.healthcareapis/services). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB (microsoft.documentdb/databaseaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Data Explorer Clusters (microsoft.kusto/clusters). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Data Explorer Clusters (microsoft.kusto/clusters). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Data Explorer Clusters (microsoft.kusto/clusters). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Databricks Services (microsoft.databricks/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Databricks Services (microsoft.databricks/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Databricks Services (microsoft.databricks/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Load Testing (microsoft.loadtestservice/loadtests). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Load Testing (microsoft.loadtestservice/loadtests). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Load Testing (microsoft.loadtestservice/loadtests). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Managed Grafana (microsoft.dashboard/grafana). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Managed Grafana (microsoft.dashboard/grafana). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Managed Grafana (microsoft.dashboard/grafana). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Spring Apps (microsoft.appplatform/spring). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Spring Apps (microsoft.appplatform/spring). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Spring Apps (microsoft.appplatform/spring). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Synapse Analytics (microsoft.synapse/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Synapse Analytics (microsoft.synapse/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Synapse Analytics (microsoft.synapse/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Video Indexer (microsoft.videoindexer/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Video Indexer (microsoft.videoindexer/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Video Indexer (microsoft.videoindexer/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Backup vaults (microsoft.dataprotection/backupvaults). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Backup vaults (microsoft.dataprotection/backupvaults). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Backup vaults (microsoft.dataprotection/backupvaults). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Batch accounts (microsoft.batch/batchaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Batch accounts (microsoft.batch/batchaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Batch accounts (microsoft.batch/batchaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bot Services (microsoft.botservice/botservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bot Services (microsoft.botservice/botservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bot Services (microsoft.botservice/botservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Caches (microsoft.cache/redisenterprise/databases). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Caches (microsoft.cache/redisenterprise/databases). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Caches (microsoft.cache/redisenterprise/databases). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Chaos Experiments (microsoft.chaos/experiments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Chaos Experiments (microsoft.chaos/experiments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Chaos Experiments (microsoft.chaos/experiments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Communication Services (microsoft.communication/communicationservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Communication Services (microsoft.communication/communicationservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Communication Services (microsoft.communication/communicationservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Connected Cache Resources (microsoft.connectedcache/ispcustomers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Connected Cache Resources (microsoft.connectedcache/ispcustomers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Connected Cache Resources (microsoft.connectedcache/ispcustomers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container Apps Environments (microsoft.app/managedenvironments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container Apps Environments (microsoft.app/managedenvironments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container Apps Environments (microsoft.app/managedenvironments). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container instances (microsoft.containerinstance/containergroups). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container instances (microsoft.containerinstance/containergroups). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data collection rules (microsoft.insights/datacollectionrules). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data collection rules (microsoft.insights/datacollectionrules). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data collection rules (microsoft.insights/datacollectionrules). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data factories (V2) (microsoft.datafactory/factories). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data factories (V2) (microsoft.datafactory/factories). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data factories (V2) (microsoft.datafactory/factories). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Analytics (microsoft.datalakeanalytics/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Analytics (microsoft.datalakeanalytics/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Analytics (microsoft.datalakeanalytics/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Shares (microsoft.datashare/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Shares (microsoft.datashare/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Shares (microsoft.datashare/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dev centers (microsoft.devcenter/devcenters). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dev centers (microsoft.devcenter/devcenters). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dev centers (microsoft.devcenter/devcenters). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Endpoints (microsoft.cdn/profiles/endpoints). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Endpoints (microsoft.cdn/profiles/endpoints). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Endpoints (microsoft.cdn/profiles/endpoints). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid System Topics (microsoft.eventgrid/systemtopics). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid System Topics (microsoft.eventgrid/systemtopics). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid System Topics (microsoft.eventgrid/systemtopics). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for ExpressRoute circuits (microsoft.network/expressroutecircuits). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for ExpressRoute circuits (microsoft.network/expressroutecircuits). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for ExpressRoute circuits (microsoft.network/expressroutecircuits). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewall (microsoft.network/azurefirewalls). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Firewalls (microsoft.network/azurefirewalls). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewalls (microsoft.network/azurefirewalls). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Firewalls (microsoft.network/azurefirewalls). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Function App (microsoft.web/sites). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Host pool (microsoft.desktopvirtualization/hostpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Host pools (microsoft.desktopvirtualization/hostpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Host pools (microsoft.desktopvirtualization/hostpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Host pools (microsoft.desktopvirtualization/hostpools). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for HPC caches (microsoft.storagecache/caches). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for HPC caches (microsoft.storagecache/caches). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for HPC caches (microsoft.storagecache/caches). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Integration accounts (microsoft.logic/integrationaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Integration accounts (microsoft.logic/integrationaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Integration accounts (microsoft.logic/integrationaccounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Live events (microsoft.media/mediaservices/liveevents). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Live events (microsoft.media/mediaservices/liveevents). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Live events (microsoft.media/mediaservices/liveevents). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Load balancers (microsoft.network/loadbalancers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Load balancers (microsoft.network/loadbalancers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Load balancers (microsoft.network/loadbalancers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Logic apps (microsoft.logic/workflows). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Logic apps (microsoft.logic/workflows) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Logic apps (microsoft.logic/workflows). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Logic apps (microsoft.logic/workflows) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Logic apps (microsoft.logic/workflows). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed CCF Apps (microsoft.confidentialledger/managedccfs). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed CCF Apps (microsoft.confidentialledger/managedccfs). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed CCF Apps (microsoft.confidentialledger/managedccfs). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed databases (microsoft.sql/managedinstances/databases). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed databases (microsoft.sql/managedinstances/databases). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed databases (microsoft.sql/managedinstances/databases). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.2.0
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). DeployIfNotExists, AuditIfNotExists, Disabled 1.1.0
Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.autonomousdevelopmentplatform/workspaces. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.autonomousdevelopmentplatform/workspaces. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.autonomousdevelopmentplatform/workspaces. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.azuresphere/catalogs. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.azuresphere/catalogs. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.azuresphere/catalogs to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.azuresphere/catalogs. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.cdn/cdnwebapplicationfirewallpolicies. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.cdn/cdnwebapplicationfirewallpolicies. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.cdn/cdnwebapplicationfirewallpolicies. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.classicnetwork/networksecuritygroups. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.classicnetwork/networksecuritygroups. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.classicnetwork/networksecuritygroups. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.community/communitytrainings to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.community/communitytrainings. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.community/communitytrainings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.community/communitytrainings. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.community/communitytrainings to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.community/communitytrainings. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.connectedcache/enterprisemcccustomers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.connectedcache/enterprisemcccustomers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.connectedcache/enterprisemcccustomers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.customproviders/resourceproviders. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.customproviders/resourceproviders to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.customproviders/resourceproviders. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.customproviders/resourceproviders to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.customproviders/resourceproviders. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.d365customerinsights/instances. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.d365customerinsights/instances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.d365customerinsights/instances. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.d365customerinsights/instances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.d365customerinsights/instances. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbformysql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbformysql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbformysql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbformysql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/flexibleservers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servergroupsv2. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servergroupsv2. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servergroupsv2. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.dbforpostgresql/servers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servers. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.devices/provisioningservices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.devices/provisioningservices. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.devices/provisioningservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.devices/provisioningservices. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.devices/provisioningservices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.devices/provisioningservices. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/cassandraclusters. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/cassandraclusters. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.documentdb/cassandraclusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/cassandraclusters. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/mongoclusters. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/mongoclusters. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.documentdb/mongoclusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/mongoclusters. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.insights/autoscalesettings. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.insights/autoscalesettings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.insights/autoscalesettings. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.insights/autoscalesettings to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.insights/autoscalesettings. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/registries. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/registries. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.machinelearningservices/registries to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/registries. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/workspaces/onlineendpoints. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/workspaces/onlineendpoints. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/workspaces/onlineendpoints. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.managednetworkfabric/networkdevices. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.managednetworkfabric/networkdevices. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.managednetworkfabric/networkdevices. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/dnsresolverpolicies. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/dnsresolverpolicies. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/dnsresolverpolicies. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networkmanagers/ipampools. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networkmanagers/ipampools. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/networkmanagers/ipampools to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networkmanagers/ipampools. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networksecurityperimeters. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networksecurityperimeters. DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for microsoft.network/networksecurityperimeters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networksecurityperimeters. DeployIfNotExists, AuditIfNotExists, Disabled