Details of the NIST SP 800-53 Rev. 5 (Azure Government) Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in NIST SP 800-53 Rev. 5 (Azure Government). For more information about this compliance standard, see NIST SP 800-53 Rev. 5. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the NIST SP 800-53 Rev. 5 controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Access Control

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 AC-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1000 - Access Control Policy And Procedures Requirements Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1001 - Access Control Policy And Procedures Requirements Microsoft implements this Access Control control audit 1.0.0

Account Management

ID: NIST SP 800-53 Rev. 5 AC-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1002 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1003 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1004 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1005 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1006 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1007 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1008 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1009 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1010 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1011 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1012 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination Microsoft implements this Access Control control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Automated System Account Management

ID: NIST SP 800-53 Rev. 5 AC-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Microsoft Managed Control 1013 - Account Management | Automated System Account Management Microsoft implements this Access Control control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Automated Temporary and Emergency Account Management

ID: NIST SP 800-53 Rev. 5 AC-2 (2) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts Microsoft implements this Access Control control audit 1.0.0

Disable Accounts

ID: NIST SP 800-53 Rev. 5 AC-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts Microsoft implements this Access Control control audit 1.0.0

Automated Audit Actions

ID: NIST SP 800-53 Rev. 5 AC-2 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1016 - Account Management | Automated Audit Actions Microsoft implements this Access Control control audit 1.0.0

Inactivity Logout

ID: NIST SP 800-53 Rev. 5 AC-2 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1017 - Account Management | Inactivity Logout Microsoft implements this Access Control control audit 1.0.0

Privileged User Accounts

ID: NIST SP 800-53 Rev. 5 AC-2 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Microsoft Managed Control 1018 - Account Management | Role-Based Schemes Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1019 - Account Management | Role-Based Schemes Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1020 - Account Management | Role-Based Schemes Microsoft implements this Access Control control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Restrictions on Use of Shared and Group Accounts

ID: NIST SP 800-53 Rev. 5 AC-2 (9) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts Microsoft implements this Access Control control audit 1.0.0

Usage Conditions

ID: NIST SP 800-53 Rev. 5 AC-2 (11) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1023 - Account Management | Usage Conditions Microsoft implements this Access Control control audit 1.0.0

Account Monitoring for Atypical Usage

ID: NIST SP 800-53 Rev. 5 AC-2 (12) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 4.0.1-preview
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage Microsoft implements this Access Control control audit 1.0.0

Disable Accounts for High-risk Individuals

ID: NIST SP 800-53 Rev. 5 AC-2 (13) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals Microsoft implements this Access Control control audit 1.0.0

Access Enforcement

ID: NIST SP 800-53 Rev. 5 AC-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 1.2.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1027 - Access Enforcement Microsoft implements this Access Control control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Role-based Access Control

ID: NIST SP 800-53 Rev. 5 AC-3 (7) Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.2

Information Flow Enforcement

ID: NIST SP 800-53 Rev. 5 AC-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Disabled 1.0.1
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 1.1.1
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 3.0.1
Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit, Deny, Disabled 3.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Audit, Deny, Disabled 2.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1028 - Information Flow Enforcement Microsoft implements this Access Control control audit 1.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0

Dynamic Information Flow Control

ID: NIST SP 800-53 Rev. 5 AC-4 (3) Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0

Security and Privacy Policy Filters

ID: NIST SP 800-53 Rev. 5 AC-4 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters Microsoft implements this Access Control control audit 1.0.0

Physical or Logical Separation of Information Flows

ID: NIST SP 800-53 Rev. 5 AC-4 (21) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows Microsoft implements this Access Control control audit 1.0.0

Separation of Duties

ID: NIST SP 800-53 Rev. 5 AC-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1031 - Separation Of Duties Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1032 - Separation Of Duties Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1033 - Separation Of Duties Microsoft implements this Access Control control audit 1.0.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Least Privilege

ID: NIST SP 800-53 Rev. 5 AC-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Microsoft Managed Control 1034 - Least Privilege Microsoft implements this Access Control control audit 1.0.0

Authorize Access to Security Functions

ID: NIST SP 800-53 Rev. 5 AC-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions Microsoft implements this Access Control control audit 1.0.0

Non-privileged Access for Nonsecurity Functions

ID: NIST SP 800-53 Rev. 5 AC-6 (2) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions Microsoft implements this Access Control control audit 1.0.0

Network Access to Privileged Commands

ID: NIST SP 800-53 Rev. 5 AC-6 (3) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands Microsoft implements this Access Control control audit 1.0.0

Privileged Accounts

ID: NIST SP 800-53 Rev. 5 AC-6 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts Microsoft implements this Access Control control audit 1.0.0

Review of User Privileges

ID: NIST SP 800-53 Rev. 5 AC-6 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges Microsoft implements this Access Control control audit 1.0.0

Privilege Levels for Code Execution

ID: NIST SP 800-53 Rev. 5 AC-6 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution Microsoft implements this Access Control control audit 1.0.0

Log Use of Privileged Functions

ID: NIST SP 800-53 Rev. 5 AC-6 (9) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions Microsoft implements this Access Control control audit 1.0.0

Prohibit Non-privileged Users from Executing Privileged Functions

ID: NIST SP 800-53 Rev. 5 AC-6 (10) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions Microsoft implements this Access Control control audit 1.0.0

Unsuccessful Logon Attempts

ID: NIST SP 800-53 Rev. 5 AC-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1044 - Unsuccessful Logon Attempts Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1045 - Unsuccessful Logon Attempts Microsoft implements this Access Control control audit 1.0.0

Purge or Wipe Mobile Device

ID: NIST SP 800-53 Rev. 5 AC-7 (2) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1046 - Unsuccessful Logon Attempts | Purge / Wipe Mobile Device Microsoft implements this Access Control control audit 1.0.0

System Use Notification

ID: NIST SP 800-53 Rev. 5 AC-8 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1047 - System Use Notification Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1048 - System Use Notification Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1049 - System Use Notification Microsoft implements this Access Control control audit 1.0.0

Concurrent Session Control

ID: NIST SP 800-53 Rev. 5 AC-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1050 - Concurrent Session Control Microsoft implements this Access Control control audit 1.0.0

Device Lock

ID: NIST SP 800-53 Rev. 5 AC-11 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1051 - Session Lock Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1052 - Session Lock Microsoft implements this Access Control control audit 1.0.0

Pattern-hiding Displays

ID: NIST SP 800-53 Rev. 5 AC-11 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays Microsoft implements this Access Control control audit 1.0.0

Session Termination

ID: NIST SP 800-53 Rev. 5 AC-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1054 - Session Termination Microsoft implements this Access Control control audit 1.0.0

User-initiated Logouts

ID: NIST SP 800-53 Rev. 5 AC-12 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays Microsoft implements this Access Control control audit 1.0.0

Permitted Actions Without Identification or Authentication

ID: NIST SP 800-53 Rev. 5 AC-14 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication Microsoft implements this Access Control control audit 1.0.0

Security and Privacy Attributes

ID: NIST SP 800-53 Rev. 5 AC-16 Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2

Remote Access

ID: NIST SP 800-53 Rev. 5 AC-17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 1.2.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
Microsoft Managed Control 1059 - Remote Access Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1060 - Remote Access Microsoft implements this Access Control control audit 1.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0

Monitoring and Control

ID: NIST SP 800-53 Rev. 5 AC-17 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 1.2.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control Microsoft implements this Access Control control audit 1.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0

Protection of Confidentiality and Integrity Using Encryption

ID: NIST SP 800-53 Rev. 5 AC-17 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption Microsoft implements this Access Control control audit 1.0.0

Managed Access Control Points

ID: NIST SP 800-53 Rev. 5 AC-17 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points Microsoft implements this Access Control control audit 1.0.0

Privileged Commands and Access

ID: NIST SP 800-53 Rev. 5 AC-17 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access Microsoft implements this Access Control control audit 1.0.0

Disconnect or Disable Access

ID: NIST SP 800-53 Rev. 5 AC-17 (9) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access Microsoft implements this Access Control control audit 1.0.0

Wireless Access

ID: NIST SP 800-53 Rev. 5 AC-18 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1067 - Wireless Access Restrictions Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1068 - Wireless Access Restrictions Microsoft implements this Access Control control audit 1.0.0

Authentication and Encryption

ID: NIST SP 800-53 Rev. 5 AC-18 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1069 - Wireless Access Restrictions | Authentication And Encryption Microsoft implements this Access Control control audit 1.0.0

Disable Wireless Networking

ID: NIST SP 800-53 Rev. 5 AC-18 (3) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1070 - Wireless Access Restrictions | Disable Wireless Networking Microsoft implements this Access Control control audit 1.0.0

Restrict Configurations by Users

ID: NIST SP 800-53 Rev. 5 AC-18 (4) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1071 - Wireless Access Restrictions | Restrict Configurations By Users Microsoft implements this Access Control control audit 1.0.0

Antennas and Transmission Power Levels

ID: NIST SP 800-53 Rev. 5 AC-18 (5) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1072 - Wireless Access Restrictions | Antennas / Transmission Power Levels Microsoft implements this Access Control control audit 1.0.0

Access Control for Mobile Devices

ID: NIST SP 800-53 Rev. 5 AC-19 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1073 - Access Control for Portable And Mobile Systems Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1074 - Access Control for Portable And Mobile Systems Microsoft implements this Access Control control audit 1.0.0

Full Device or Container-based Encryption

ID: NIST SP 800-53 Rev. 5 AC-19 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1075 - Access Control for Portable And Mobile Systems | Full Device / Container-Based Encryption Microsoft implements this Access Control control audit 1.0.0

Use of External Systems

ID: NIST SP 800-53 Rev. 5 AC-20 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1076 - Use Of External Information Systems Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1077 - Use Of External Information Systems Microsoft implements this Access Control control audit 1.0.0

Limits on Authorized Use

ID: NIST SP 800-53 Rev. 5 AC-20 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use Microsoft implements this Access Control control audit 1.0.0

Portable Storage Devices ??? Restricted Use

ID: NIST SP 800-53 Rev. 5 AC-20 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices Microsoft implements this Access Control control audit 1.0.0

Information Sharing

ID: NIST SP 800-53 Rev. 5 AC-21 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1081 - Information Sharing Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1082 - Information Sharing Microsoft implements this Access Control control audit 1.0.0

Publicly Accessible Content

ID: NIST SP 800-53 Rev. 5 AC-22 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1083 - Publicly Accessible Content Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1084 - Publicly Accessible Content Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1085 - Publicly Accessible Content Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1086 - Publicly Accessible Content Microsoft implements this Access Control control audit 1.0.0

Awareness and Training

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 AT-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures Microsoft implements this Awareness and Training control audit 1.0.0

Literacy Training and Awareness

ID: NIST SP 800-53 Rev. 5 AT-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1089 - Security Awareness Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1090 - Security Awareness Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1091 - Security Awareness Microsoft implements this Awareness and Training control audit 1.0.0

Insider Threat

ID: NIST SP 800-53 Rev. 5 AT-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1092 - Security Awareness | Insider Threat Microsoft implements this Awareness and Training control audit 1.0.0

Role-based Training

ID: NIST SP 800-53 Rev. 5 AT-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1093 - Role-Based Security Training Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1094 - Role-Based Security Training Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1095 - Role-Based Security Training Microsoft implements this Awareness and Training control audit 1.0.0

Practical Exercises

ID: NIST SP 800-53 Rev. 5 AT-3 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises Microsoft implements this Awareness and Training control audit 1.0.0

Training Records

ID: NIST SP 800-53 Rev. 5 AT-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1098 - Security Training Records Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1099 - Security Training Records Microsoft implements this Awareness and Training control audit 1.0.0

Audit and Accountability

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 AU-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures Microsoft implements this Audit and Accountability control audit 1.0.0

Event Logging

ID: NIST SP 800-53 Rev. 5 AU-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1102 - Audit Events Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1103 - Audit Events Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1104 - Audit Events Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1105 - Audit Events Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1106 - Audit Events | Reviews And Updates Microsoft implements this Audit and Accountability control audit 1.0.0

Content of Audit Records

ID: NIST SP 800-53 Rev. 5 AU-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1107 - Content Of Audit Records Microsoft implements this Audit and Accountability control audit 1.0.0

Additional Audit Information

ID: NIST SP 800-53 Rev. 5 AU-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Log Storage Capacity

ID: NIST SP 800-53 Rev. 5 AU-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1110 - Audit Storage Capacity Microsoft implements this Audit and Accountability control audit 1.0.0

Response to Audit Logging Process Failures

ID: NIST SP 800-53 Rev. 5 AU-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1111 - Response To Audit Processing Failures Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1112 - Response To Audit Processing Failures Microsoft implements this Audit and Accountability control audit 1.0.0

Storage Capacity Warning

ID: NIST SP 800-53 Rev. 5 AU-5 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity Microsoft implements this Audit and Accountability control audit 1.0.0

Real-time Alerts

ID: NIST SP 800-53 Rev. 5 AU-5 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Record Review, Analysis, and Reporting

ID: NIST SP 800-53 Rev. 5 AU-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 4.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment Microsoft implements this Audit and Accountability control audit 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0

Automated Process Integration

ID: NIST SP 800-53 Rev. 5 AU-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration Microsoft implements this Audit and Accountability control audit 1.0.0

Correlate Audit Record Repositories

ID: NIST SP 800-53 Rev. 5 AU-6 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories Microsoft implements this Audit and Accountability control audit 1.0.0

Central Review and Analysis

ID: NIST SP 800-53 Rev. 5 AU-6 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 4.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis Microsoft implements this Audit and Accountability control audit 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.1.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Integrated Analysis of Audit Records

ID: NIST SP 800-53 Rev. 5 AU-6 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 4.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities Microsoft implements this Audit and Accountability control audit 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.1.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Correlation with Physical Monitoring

ID: NIST SP 800-53 Rev. 5 AU-6 (6) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring Microsoft implements this Audit and Accountability control audit 1.0.0

Permitted Actions

ID: NIST SP 800-53 Rev. 5 AU-6 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Record Reduction and Report Generation

ID: NIST SP 800-53 Rev. 5 AU-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1124 - Audit Reduction And Report Generation Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1125 - Audit Reduction And Report Generation Microsoft implements this Audit and Accountability control audit 1.0.0

Automatic Processing

ID: NIST SP 800-53 Rev. 5 AU-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing Microsoft implements this Audit and Accountability control audit 1.0.0

Time Stamps

ID: NIST SP 800-53 Rev. 5 AU-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1127 - Time Stamps Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1128 - Time Stamps Microsoft implements this Audit and Accountability control audit 1.0.0

Protection of Audit Information

ID: NIST SP 800-53 Rev. 5 AU-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1131 - Protection Of Audit Information Microsoft implements this Audit and Accountability control audit 1.0.0

Store on Separate Physical Systems or Components

ID: NIST SP 800-53 Rev. 5 AU-9 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components Microsoft implements this Audit and Accountability control audit 1.0.0

Cryptographic Protection

ID: NIST SP 800-53 Rev. 5 AU-9 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection Microsoft implements this Audit and Accountability control audit 1.0.0

Access by Subset of Privileged Users

ID: NIST SP 800-53 Rev. 5 AU-9 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users Microsoft implements this Audit and Accountability control audit 1.0.0

Non-repudiation

ID: NIST SP 800-53 Rev. 5 AU-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1135 - Non-Repudiation Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Record Retention

ID: NIST SP 800-53 Rev. 5 AU-11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1136 - Audit Record Retention Microsoft implements this Audit and Accountability control audit 1.0.0
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 3.0.0

Audit Record Generation

ID: NIST SP 800-53 Rev. 5 AU-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 4.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1137 - Audit Generation Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1138 - Audit Generation Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1139 - Audit Generation Microsoft implements this Audit and Accountability control audit 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.1.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

System-wide and Time-correlated Audit Trail

ID: NIST SP 800-53 Rev. 5 AU-12 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. AuditIfNotExists, Disabled 4.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail Microsoft implements this Audit and Accountability control audit 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.1.0
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Changes by Authorized Individuals

ID: NIST SP 800-53 Rev. 5 AU-12 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals Microsoft implements this Audit and Accountability control audit 1.0.0

Assessment, Authorization, and Monitoring

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 CA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1142 - Certification, Authorization, Security Assessment Policy And Procedures Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1143 - Certification, Authorization, Security Assessment Policy And Procedures Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Control Assessments

ID: NIST SP 800-53 Rev. 5 CA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1144 - Security Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1145 - Security Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1146 - Security Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1147 - Security Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Independent Assessors

ID: NIST SP 800-53 Rev. 5 CA-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1148 - Security Assessments | Independent Assessors Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Specialized Assessments

ID: NIST SP 800-53 Rev. 5 CA-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Leveraging Results from External Organizations

ID: NIST SP 800-53 Rev. 5 CA-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1150 - Security Assessments | External Organizations Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Information Exchange

ID: NIST SP 800-53 Rev. 5 CA-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1151 - System Interconnections Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1152 - System Interconnections Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1153 - System Interconnections Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Plan of Action and Milestones

ID: NIST SP 800-53 Rev. 5 CA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1156 - Plan Of Action And Milestones Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1157 - Plan Of Action And Milestones Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Authorization

ID: NIST SP 800-53 Rev. 5 CA-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1158 - Security Authorization Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1159 - Security Authorization Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1160 - Security Authorization Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Continuous Monitoring

ID: NIST SP 800-53 Rev. 5 CA-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1161 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1162 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1163 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1164 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1165 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1166 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1167 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Independent Assessment

ID: NIST SP 800-53 Rev. 5 CA-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Trend Analyses

ID: NIST SP 800-53 Rev. 5 CA-7 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Penetration Testing

ID: NIST SP 800-53 Rev. 5 CA-8 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1170 - Penetration Testing Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Independent Penetration Testing Agent or Team

ID: NIST SP 800-53 Rev. 5 CA-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Internal System Connections

ID: NIST SP 800-53 Rev. 5 CA-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1172 - Internal System Connections Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1173 - Internal System Connections Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Configuration Management

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 CM-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1174 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1175 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0

Baseline Configuration

ID: NIST SP 800-53 Rev. 5 CM-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1176 - Baseline Configuration Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control audit 1.0.0

Automation Support for Accuracy and Currency

ID: NIST SP 800-53 Rev. 5 CM-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency Microsoft implements this Configuration Management control audit 1.0.0

Retention of Previous Configurations

ID: NIST SP 800-53 Rev. 5 CM-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations Microsoft implements this Configuration Management control audit 1.0.0

Configure Systems and Components for High-risk Areas

ID: NIST SP 800-53 Rev. 5 CM-2 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas Microsoft implements this Configuration Management control audit 1.0.0

Configuration Change Control

ID: NIST SP 800-53 Rev. 5 CM-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1184 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1185 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1186 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1187 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1188 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1189 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1190 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0

Automated Documentation, Notification, and Prohibition of Changes

ID: NIST SP 800-53 Rev. 5 CM-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0

Testing, Validation, and Documentation of Changes

ID: NIST SP 800-53 Rev. 5 CM-3 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes Microsoft implements this Configuration Management control audit 1.0.0

Security and Privacy Representatives

ID: NIST SP 800-53 Rev. 5 CM-3 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1198 - Configuration Change Control | Security Representative Microsoft implements this Configuration Management control audit 1.0.0

Cryptography Management

ID: NIST SP 800-53 Rev. 5 CM-3 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management Microsoft implements this Configuration Management control audit 1.0.0

Impact Analyses

ID: NIST SP 800-53 Rev. 5 CM-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1200 - Security Impact Analysis Microsoft implements this Configuration Management control audit 1.0.0

Separate Test Environments

ID: NIST SP 800-53 Rev. 5 CM-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments Microsoft implements this Configuration Management control audit 1.0.0

Access Restrictions for Change

ID: NIST SP 800-53 Rev. 5 CM-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1202 - Access Restrictions For Change Microsoft implements this Configuration Management control audit 1.0.0

Automated Access Enforcement and Audit Records

ID: NIST SP 800-53 Rev. 5 CM-5 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing Microsoft implements this Configuration Management control audit 1.0.0

Privilege Limitation for Production and Operation

ID: NIST SP 800-53 Rev. 5 CM-5 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges Microsoft implements this Configuration Management control audit 1.0.0

Configuration Settings

ID: NIST SP 800-53 Rev. 5 CM-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 3.0.0
App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. AuditIfNotExists, Disabled 2.0.0
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit, Disabled 1.0.2
Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Audit, Disabled 3.0.0
Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 2.0.0
Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 2.0.0
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 10.0.1
Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 6.0.1
Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.0.1
Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.0.1
Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 10.0.1
Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.0.1
Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.0.1
Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.0.1
Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 7.0.1
Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 9.0.1
Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 10.0.1
Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. audit, Audit, deny, Deny, disabled, Disabled 8.0.1
Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 1.3.0
Microsoft Managed Control 1208 - Configuration Settings Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1209 - Configuration Settings Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1210 - Configuration Settings Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1211 - Configuration Settings Microsoft implements this Configuration Management control audit 1.0.0
Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 1.0.0

Automated Management, Application, and Verification

ID: NIST SP 800-53 Rev. 5 CM-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification Microsoft implements this Configuration Management control audit 1.0.0

Respond to Unauthorized Changes

ID: NIST SP 800-53 Rev. 5 CM-6 (2) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes Microsoft implements this Configuration Management control audit 1.0.0

Least Functionality

ID: NIST SP 800-53 Rev. 5 CM-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Microsoft Managed Control 1214 - Least Functionality Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1215 - Least Functionality Microsoft implements this Configuration Management control audit 1.0.0

Periodic Review

ID: NIST SP 800-53 Rev. 5 CM-7 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1216 - Least Functionality | Periodic Review Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1217 - Least Functionality | Periodic Review Microsoft implements this Configuration Management control audit 1.0.0

Prevent Program Execution

ID: NIST SP 800-53 Rev. 5 CM-7 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution Microsoft implements this Configuration Management control audit 1.0.0

Authorized Software ??? Allow-by-exception

ID: NIST SP 800-53 Rev. 5 CM-7 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0

System Component Inventory

ID: NIST SP 800-53 Rev. 5 CM-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1222 - Information System Component Inventory Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1223 - Information System Component Inventory Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components Microsoft implements this Configuration Management control audit 1.0.0

Updates During Installation and Removal

ID: NIST SP 800-53 Rev. 5 CM-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals Microsoft implements this Configuration Management control audit 1.0.0

Automated Maintenance

ID: NIST SP 800-53 Rev. 5 CM-8 (2) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance Microsoft implements this Configuration Management control audit 1.0.0

Automated Unauthorized Component Detection

ID: NIST SP 800-53 Rev. 5 CM-8 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations Microsoft implements this Configuration Management control audit 1.0.0

Accountability Information

ID: NIST SP 800-53 Rev. 5 CM-8 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information Microsoft implements this Configuration Management control audit 1.0.0

Configuration Management Plan

ID: NIST SP 800-53 Rev. 5 CM-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1230 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1231 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1232 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1233 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0

Software Usage Restrictions

ID: NIST SP 800-53 Rev. 5 CM-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1234 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1235 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1236 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0

Open-source Software

ID: NIST SP 800-53 Rev. 5 CM-10 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software Microsoft implements this Configuration Management control audit 1.0.0

User-installed Software

ID: NIST SP 800-53 Rev. 5 CM-11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1238 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1239 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1240 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0

Contingency Planning

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 CP-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0

Contingency Plan

ID: NIST SP 800-53 Rev. 5 CP-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1244 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1245 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1246 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1247 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1248 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1249 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1250 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0

ID: NIST SP 800-53 Rev. 5 CP-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0

Capacity Planning

ID: NIST SP 800-53 Rev. 5 CP-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning Microsoft implements this Contingency Planning control audit 1.0.0

Resume Mission and Business Functions

ID: NIST SP 800-53 Rev. 5 CP-2 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0

Continue Mission and Business Functions

ID: NIST SP 800-53 Rev. 5 CP-2 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0

Identify Critical Assets

ID: NIST SP 800-53 Rev. 5 CP-2 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets Microsoft implements this Contingency Planning control audit 1.0.0

Contingency Training

ID: NIST SP 800-53 Rev. 5 CP-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1257 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1258 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1259 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0

Simulated Events

ID: NIST SP 800-53 Rev. 5 CP-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1260 - Contingency Training | Simulated Events Microsoft implements this Contingency Planning control audit 1.0.0

Contingency Plan Testing

ID: NIST SP 800-53 Rev. 5 CP-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1261 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1262 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1263 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0

ID: NIST SP 800-53 Rev. 5 CP-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0

Alternate Processing Site

ID: NIST SP 800-53 Rev. 5 CP-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0

Alternate Storage Site

ID: NIST SP 800-53 Rev. 5 CP-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant storage should be enabled for Storage Accounts Use geo-redundancy to create highly available applications Audit, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1267 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1268 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0

Separation from Primary Site

ID: NIST SP 800-53 Rev. 5 CP-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant storage should be enabled for Storage Accounts Use geo-redundancy to create highly available applications Audit, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0

Recovery Time and Recovery Point Objectives

ID: NIST SP 800-53 Rev. 5 CP-6 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives Microsoft implements this Contingency Planning control audit 1.0.0

Accessibility

ID: NIST SP 800-53 Rev. 5 CP-6 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0

Alternate Processing Site

ID: NIST SP 800-53 Rev. 5 CP-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Microsoft Managed Control 1272 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1273 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1274 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0

Separation from Primary Site

ID: NIST SP 800-53 Rev. 5 CP-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0

Accessibility

ID: NIST SP 800-53 Rev. 5 CP-7 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0

Priority of Service

ID: NIST SP 800-53 Rev. 5 CP-7 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service Microsoft implements this Contingency Planning control audit 1.0.0

Preparation for Use

ID: NIST SP 800-53 Rev. 5 CP-7 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use Microsoft implements this Contingency Planning control audit 1.0.0

Telecommunications Services

ID: NIST SP 800-53 Rev. 5 CP-8 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1279 - Telecommunications Services Microsoft implements this Contingency Planning control audit 1.0.0

Priority of Service Provisions

ID: NIST SP 800-53 Rev. 5 CP-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0

Single Points of Failure

ID: NIST SP 800-53 Rev. 5 CP-8 (2) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure Microsoft implements this Contingency Planning control audit 1.0.0

Separation of Primary and Alternate Providers

ID: NIST SP 800-53 Rev. 5 CP-8 (3) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers Microsoft implements this Contingency Planning control audit 1.0.0

Provider Contingency Plan

ID: NIST SP 800-53 Rev. 5 CP-8 (4) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0

System Backup

ID: NIST SP 800-53 Rev. 5 CP-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Key vaults should have purge protection enabled Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Audit, Deny, Disabled 2.0.0
Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Audit, Deny, Disabled 3.0.0
Microsoft Managed Control 1287 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1288 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1289 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1290 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0

Testing for Reliability and Integrity

ID: NIST SP 800-53 Rev. 5 CP-9 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity Microsoft implements this Contingency Planning control audit 1.0.0

Test Restoration Using Sampling

ID: NIST SP 800-53 Rev. 5 CP-9 (2) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling Microsoft implements this Contingency Planning control audit 1.0.0

Separate Storage for Critical Information

ID: NIST SP 800-53 Rev. 5 CP-9 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information Microsoft implements this Contingency Planning control audit 1.0.0

Transfer to Alternate Storage Site

ID: NIST SP 800-53 Rev. 5 CP-9 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0

System Recovery and Reconstitution

ID: NIST SP 800-53 Rev. 5 CP-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1295 - Information System Recovery And Reconstitution Microsoft implements this Contingency Planning control audit 1.0.0

Transaction Recovery

ID: NIST SP 800-53 Rev. 5 CP-10 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery Microsoft implements this Contingency Planning control audit 1.0.0

Restore Within Time Period

ID: NIST SP 800-53 Rev. 5 CP-10 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period Microsoft implements this Contingency Planning control audit 1.0.0

Identification and Authentication

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 IA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures Microsoft implements this Identification and Authentication control audit 1.0.0

Identification and Authentication (organizational Users)

ID: NIST SP 800-53 Rev. 5 IA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1300 - User Identification And Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Multi-factor Authentication to Privileged Accounts

ID: NIST SP 800-53 Rev. 5 IA-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled for accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.1
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1301 - User Identification And Authentication | Network Access To Privileged Accounts Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1303 - User Identification And Authentication | Local Access To Privileged Accounts Microsoft implements this Identification and Authentication control audit 1.0.0

Multi-factor Authentication to Non-privileged Accounts

ID: NIST SP 800-53 Rev. 5 IA-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1302 - User Identification And Authentication | Network Access To Non-Privileged Accounts Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1304 - User Identification And Authentication | Local Access To Non-Privileged Accounts Microsoft implements this Identification and Authentication control audit 1.0.0

Individual Authentication with Group Authentication

ID: NIST SP 800-53 Rev. 5 IA-2 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1305 - User Identification And Authentication | Group Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Access to Accounts ??? Replay Resistant

ID: NIST SP 800-53 Rev. 5 IA-2 (8) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay... Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1307 - User Identification And Authentication | Network Access To Non-Privileged Accounts - Replay... Microsoft implements this Identification and Authentication control audit 1.0.0

Acceptance of PIV Credentials

ID: NIST SP 800-53 Rev. 5 IA-2 (12) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1309 - User Identification And Authentication | Acceptance Of Piv Credentials Microsoft implements this Identification and Authentication control audit 1.0.0

Device Identification and Authentication

ID: NIST SP 800-53 Rev. 5 IA-3 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1310 - Device Identification And Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Identifier Management

ID: NIST SP 800-53 Rev. 5 IA-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
App Service apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Function apps should use managed identity Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1311 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1312 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1313 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1314 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1315 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Identify User Status

ID: NIST SP 800-53 Rev. 5 IA-4 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1316 - Identifier Management | Identify User Status Microsoft implements this Identification and Authentication control audit 1.0.0

Authenticator Management

ID: NIST SP 800-53 Rev. 5 IA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 1.2.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Microsoft Managed Control 1317 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1318 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1319 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1320 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1321 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1322 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1323 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1324 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1325 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1326 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0

Password-based Authentication

ID: NIST SP 800-53 Rev. 5 IA-5 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 1.2.0
Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination Microsoft implements this Identification and Authentication control audit 1.0.0

Public Key-based Authentication

ID: NIST SP 800-53 Rev. 5 IA-5 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Protection of Authenticators

ID: NIST SP 800-53 Rev. 5 IA-5 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators Microsoft implements this Identification and Authentication control audit 1.0.0

No Embedded Unencrypted Static Authenticators

ID: NIST SP 800-53 Rev. 5 IA-5 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators Microsoft implements this Identification and Authentication control audit 1.0.0

Multiple System Accounts

ID: NIST SP 800-53 Rev. 5 IA-5 (8) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts Microsoft implements this Identification and Authentication control audit 1.0.0

Expiration of Cached Authenticators

ID: NIST SP 800-53 Rev. 5 IA-5 (13) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators Microsoft implements this Identification and Authentication control audit 1.0.0

Authentication Feedback

ID: NIST SP 800-53 Rev. 5 IA-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1344 - Authenticator Feedback Microsoft implements this Identification and Authentication control audit 1.0.0

Cryptographic Module Authentication

ID: NIST SP 800-53 Rev. 5 IA-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1345 - Cryptographic Module Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Identification and Authentication (non-organizational Users)

ID: NIST SP 800-53 Rev. 5 IA-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users) Microsoft implements this Identification and Authentication control audit 1.0.0

Acceptance of PIV Credentials from Other Agencies

ID: NIST SP 800-53 Rev. 5 IA-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1347 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv Credentials... Microsoft implements this Identification and Authentication control audit 1.0.0

Acceptance of External Authenticators

ID: NIST SP 800-53 Rev. 5 IA-8 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1348 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Third-Party... Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1349 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Approved Products Microsoft implements this Identification and Authentication control audit 1.0.0

Use of Defined Profiles

ID: NIST SP 800-53 Rev. 5 IA-8 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1350 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Issued Profiles Microsoft implements this Identification and Authentication control audit 1.0.0

Incident Response

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 IR-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1351 - Incident Response Policy And Procedures Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1352 - Incident Response Policy And Procedures Microsoft implements this Incident Response control audit 1.0.0

Incident Response Training

ID: NIST SP 800-53 Rev. 5 IR-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1353 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1354 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1355 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0

Simulated Events

ID: NIST SP 800-53 Rev. 5 IR-2 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1356 - Incident Response Training | Simulated Events Microsoft implements this Incident Response control audit 1.0.0

Automated Training Environments

ID: NIST SP 800-53 Rev. 5 IR-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments Microsoft implements this Incident Response control audit 1.0.0

Incident Response Testing

ID: NIST SP 800-53 Rev. 5 IR-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1358 - Incident Response Testing Microsoft implements this Incident Response control audit 1.0.0

ID: NIST SP 800-53 Rev. 5 IR-3 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans Microsoft implements this Incident Response control audit 1.0.0

Incident Handling

ID: NIST SP 800-53 Rev. 5 IR-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1360 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1361 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1362 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Automated Incident Handling Processes

ID: NIST SP 800-53 Rev. 5 IR-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes Microsoft implements this Incident Response control audit 1.0.0

Dynamic Reconfiguration

ID: NIST SP 800-53 Rev. 5 IR-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration Microsoft implements this Incident Response control audit 1.0.0

Continuity of Operations

ID: NIST SP 800-53 Rev. 5 IR-4 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations Microsoft implements this Incident Response control audit 1.0.0

Information Correlation

ID: NIST SP 800-53 Rev. 5 IR-4 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1366 - Incident Handling | Information Correlation Microsoft implements this Incident Response control audit 1.0.0

Insider Threats

ID: NIST SP 800-53 Rev. 5 IR-4 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities Microsoft implements this Incident Response control audit 1.0.0

Correlation with External Organizations

ID: NIST SP 800-53 Rev. 5 IR-4 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations Microsoft implements this Incident Response control audit 1.0.0

Incident Monitoring

ID: NIST SP 800-53 Rev. 5 IR-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1369 - Incident Monitoring Microsoft implements this Incident Response control audit 1.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Automated Tracking, Data Collection, and Analysis

ID: NIST SP 800-53 Rev. 5 IR-5 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis Microsoft implements this Incident Response control audit 1.0.0

Incident Reporting

ID: NIST SP 800-53 Rev. 5 IR-6 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1371 - Incident Reporting Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1372 - Incident Reporting Microsoft implements this Incident Response control audit 1.0.0

Automated Reporting

ID: NIST SP 800-53 Rev. 5 IR-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting Microsoft implements this Incident Response control audit 1.0.0

ID: NIST SP 800-53 Rev. 5 IR-6 (2) Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Incident Response Assistance

ID: NIST SP 800-53 Rev. 5 IR-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1374 - Incident Response Assistance Microsoft implements this Incident Response control audit 1.0.0

Automation Support for Availability of Information and Support

ID: NIST SP 800-53 Rev. 5 IR-7 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support Microsoft implements this Incident Response control audit 1.0.0

Coordination with External Providers

ID: NIST SP 800-53 Rev. 5 IR-7 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers Microsoft implements this Incident Response control audit 1.0.0

Incident Response Plan

ID: NIST SP 800-53 Rev. 5 IR-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1378 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1379 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1380 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1381 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1382 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1383 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0

Information Spillage Response

ID: NIST SP 800-53 Rev. 5 IR-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1384 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1385 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1386 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1387 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1388 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1389 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel Microsoft implements this Incident Response control audit 1.0.0

Training

ID: NIST SP 800-53 Rev. 5 IR-9 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1391 - Information Spillage Response | Training Microsoft implements this Incident Response control audit 1.0.0

Post-spill Operations

ID: NIST SP 800-53 Rev. 5 IR-9 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations Microsoft implements this Incident Response control audit 1.0.0

Exposure to Unauthorized Personnel

ID: NIST SP 800-53 Rev. 5 IR-9 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel Microsoft implements this Incident Response control audit 1.0.0

Maintenance

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 MA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1394 - System Maintenance Policy And Procedures Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1395 - System Maintenance Policy And Procedures Microsoft implements this Maintenance control audit 1.0.0

Controlled Maintenance

ID: NIST SP 800-53 Rev. 5 MA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1396 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1397 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1398 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1399 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1400 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1401 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0

Automated Maintenance Activities

ID: NIST SP 800-53 Rev. 5 MA-2 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities Microsoft implements this Maintenance control audit 1.0.0

Maintenance Tools

ID: NIST SP 800-53 Rev. 5 MA-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1404 - Maintenance Tools Microsoft implements this Maintenance control audit 1.0.0

Inspect Tools

ID: NIST SP 800-53 Rev. 5 MA-3 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools Microsoft implements this Maintenance control audit 1.0.0

Inspect Media

ID: NIST SP 800-53 Rev. 5 MA-3 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media Microsoft implements this Maintenance control audit 1.0.0

Prevent Unauthorized Removal

ID: NIST SP 800-53 Rev. 5 MA-3 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control audit 1.0.0

Nonlocal Maintenance

ID: NIST SP 800-53 Rev. 5 MA-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1411 - Remote Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1412 - Remote Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1413 - Remote Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1414 - Remote Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1415 - Remote Maintenance Microsoft implements this Maintenance control audit 1.0.0

Comparable Security and Sanitization

ID: NIST SP 800-53 Rev. 5 MA-4 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1417 - Remote Maintenance | Comparable Security / Sanitization Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1418 - Remote Maintenance | Comparable Security / Sanitization Microsoft implements this Maintenance control audit 1.0.0

Cryptographic Protection

ID: NIST SP 800-53 Rev. 5 MA-4 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1419 - Remote Maintenance | Cryptographic Protection Microsoft implements this Maintenance control audit 1.0.0

Maintenance Personnel

ID: NIST SP 800-53 Rev. 5 MA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1420 - Maintenance Personnel Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1421 - Maintenance Personnel Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1422 - Maintenance Personnel Microsoft implements this Maintenance control audit 1.0.0

Individuals Without Appropriate Access

ID: NIST SP 800-53 Rev. 5 MA-5 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access Microsoft implements this Maintenance control audit 1.0.0

Timely Maintenance

ID: NIST SP 800-53 Rev. 5 MA-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1425 - Timely Maintenance Microsoft implements this Maintenance control audit 1.0.0

Media Protection

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 MP-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1426 - Media Protection Policy And Procedures Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1427 - Media Protection Policy And Procedures Microsoft implements this Media Protection control audit 1.0.0

Media Access

ID: NIST SP 800-53 Rev. 5 MP-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1428 - Media Access Microsoft implements this Media Protection control audit 1.0.0

Media Marking

ID: NIST SP 800-53 Rev. 5 MP-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1429 - Media Labeling Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1430 - Media Labeling Microsoft implements this Media Protection control audit 1.0.0

Media Storage

ID: NIST SP 800-53 Rev. 5 MP-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1431 - Media Storage Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1432 - Media Storage Microsoft implements this Media Protection control audit 1.0.0

Media Transport

ID: NIST SP 800-53 Rev. 5 MP-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1433 - Media Transport Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1434 - Media Transport Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1435 - Media Transport Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1436 - Media Transport Microsoft implements this Media Protection control audit 1.0.0

Media Sanitization

ID: NIST SP 800-53 Rev. 5 MP-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1438 - Media Sanitization And Disposal Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1439 - Media Sanitization And Disposal Microsoft implements this Media Protection control audit 1.0.0

Review, Approve, Track, Document, and Verify

ID: NIST SP 800-53 Rev. 5 MP-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1440 - Media Sanitization And Disposal | Review / Approve / Track / Document / Verify Microsoft implements this Media Protection control audit 1.0.0

Equipment Testing

ID: NIST SP 800-53 Rev. 5 MP-6 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1441 - Media Sanitization And Disposal | Equipment Testing Microsoft implements this Media Protection control audit 1.0.0

Nondestructive Techniques

ID: NIST SP 800-53 Rev. 5 MP-6 (3) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1442 - Media Sanitization And Disposal | Nondestructive Techniques Microsoft implements this Media Protection control audit 1.0.0

Media Use

ID: NIST SP 800-53 Rev. 5 MP-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1443 - Media Use Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner Microsoft implements this Media Protection control audit 1.0.0

Physical and Environmental Protection

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 PE-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Physical Access Authorizations

ID: NIST SP 800-53 Rev. 5 PE-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1447 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1448 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1449 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1450 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Physical Access Control

ID: NIST SP 800-53 Rev. 5 PE-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1451 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1452 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1453 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1454 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1455 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1456 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1457 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0

System Access

ID: NIST SP 800-53 Rev. 5 PE-3 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1458 - Physical Access Control | Information System Access Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Access Control for Transmission

ID: NIST SP 800-53 Rev. 5 PE-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1459 - Access Control For Transmission Medium Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Access Control for Output Devices

ID: NIST SP 800-53 Rev. 5 PE-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1460 - Access Control For Output Devices Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Monitoring Physical Access

ID: NIST SP 800-53 Rev. 5 PE-6 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1461 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1462 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1463 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Intrusion Alarms and Surveillance Equipment

ID: NIST SP 800-53 Rev. 5 PE-6 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Monitoring Physical Access to Systems

ID: NIST SP 800-53 Rev. 5 PE-6 (4) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Visitor Access Records

ID: NIST SP 800-53 Rev. 5 PE-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1466 - Visitor Access Records Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1467 - Visitor Access Records Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Automated Records Maintenance and Review

ID: NIST SP 800-53 Rev. 5 PE-8 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Power Equipment and Cabling

ID: NIST SP 800-53 Rev. 5 PE-9 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1469 - Power Equipment And Cabling Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Emergency Shutoff

ID: NIST SP 800-53 Rev. 5 PE-10 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1470 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1471 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1472 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Emergency Power

ID: NIST SP 800-53 Rev. 5 PE-11 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1473 - Emergency Power Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Alternate Power Supply ??? Minimal Operational Capability

ID: NIST SP 800-53 Rev. 5 PE-11 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Emergency Lighting

ID: NIST SP 800-53 Rev. 5 PE-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1475 - Emergency Lighting Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Fire Protection

ID: NIST SP 800-53 Rev. 5 PE-13 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1476 - Fire Protection Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Detection Systems ??? Automatic Activation and Notification

ID: NIST SP 800-53 Rev. 5 PE-13 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Suppression Systems ??? Automatic Activation and Notification

ID: NIST SP 800-53 Rev. 5 PE-13 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Environmental Controls

ID: NIST SP 800-53 Rev. 5 PE-14 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1480 - Temperature And Humidity Controls Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1481 - Temperature And Humidity Controls Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Monitoring with Alarms and Notifications

ID: NIST SP 800-53 Rev. 5 PE-14 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Water Damage Protection

ID: NIST SP 800-53 Rev. 5 PE-15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1483 - Water Damage Protection Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Automation Support

ID: NIST SP 800-53 Rev. 5 PE-15 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1484 - Water Damage Protection | Automation Support Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Delivery and Removal

ID: NIST SP 800-53 Rev. 5 PE-16 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1485 - Delivery And Removal Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Alternate Work Site

ID: NIST SP 800-53 Rev. 5 PE-17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1486 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1487 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1488 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Location of System Components

ID: NIST SP 800-53 Rev. 5 PE-18 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1489 - Location Of Information System Components Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Planning

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 PL-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1490 - Security Planning Policy And Procedures Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1491 - Security Planning Policy And Procedures Microsoft implements this Planning control audit 1.0.0

System Security and Privacy Plans

ID: NIST SP 800-53 Rev. 5 PL-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1492 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1493 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1494 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1495 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1496 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities Microsoft implements this Planning control audit 1.0.0

Rules of Behavior

ID: NIST SP 800-53 Rev. 5 PL-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1498 - Rules Of Behavior Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1499 - Rules Of Behavior Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1500 - Rules Of Behavior Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1501 - Rules Of Behavior Microsoft implements this Planning control audit 1.0.0

Social Media and External Site/application Usage Restrictions

ID: NIST SP 800-53 Rev. 5 PL-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions Microsoft implements this Planning control audit 1.0.0

Security and Privacy Architectures

ID: NIST SP 800-53 Rev. 5 PL-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1503 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1504 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1505 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0

Personnel Security

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 PS-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1506 - Personnel Security Policy And Procedures Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1507 - Personnel Security Policy And Procedures Microsoft implements this Personnel Security control audit 1.0.0

Position Risk Designation

ID: NIST SP 800-53 Rev. 5 PS-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1508 - Position Categorization Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1509 - Position Categorization Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1510 - Position Categorization Microsoft implements this Personnel Security control audit 1.0.0

Personnel Screening

ID: NIST SP 800-53 Rev. 5 PS-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1511 - Personnel Screening Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1512 - Personnel Screening Microsoft implements this Personnel Security control audit 1.0.0

Information Requiring Special Protective Measures

ID: NIST SP 800-53 Rev. 5 PS-3 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures Microsoft implements this Personnel Security control audit 1.0.0

Personnel Termination

ID: NIST SP 800-53 Rev. 5 PS-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1515 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1516 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1517 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1518 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1519 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1520 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0

Automated Actions

ID: NIST SP 800-53 Rev. 5 PS-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1521 - Personnel Termination | Automated Notification Microsoft implements this Personnel Security control audit 1.0.0

Personnel Transfer

ID: NIST SP 800-53 Rev. 5 PS-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1522 - Personnel Transfer Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1523 - Personnel Transfer Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1524 - Personnel Transfer Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1525 - Personnel Transfer Microsoft implements this Personnel Security control audit 1.0.0

Access Agreements

ID: NIST SP 800-53 Rev. 5 PS-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1526 - Access Agreements Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1527 - Access Agreements Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1528 - Access Agreements Microsoft implements this Personnel Security control audit 1.0.0

External Personnel Security

ID: NIST SP 800-53 Rev. 5 PS-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1529 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1530 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1531 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1532 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1533 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0

Personnel Sanctions

ID: NIST SP 800-53 Rev. 5 PS-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1534 - Personnel Sanctions Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1535 - Personnel Sanctions Microsoft implements this Personnel Security control audit 1.0.0

Risk Assessment

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 RA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures Microsoft implements this Risk Assessment control audit 1.0.0

Security Categorization

ID: NIST SP 800-53 Rev. 5 RA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1538 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1539 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1540 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0

Risk Assessment

ID: NIST SP 800-53 Rev. 5 RA-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1541 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1542 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1543 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1544 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1545 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0

Vulnerability Monitoring and Scanning

ID: NIST SP 800-53 Rev. 5 RA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. AuditIfNotExists, Disabled 1.0.0
Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control audit 1.0.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Update Vulnerabilities to Be Scanned

ID: NIST SP 800-53 Rev. 5 RA-5 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control audit 1.0.0

Breadth and Depth of Coverage

ID: NIST SP 800-53 Rev. 5 RA-5 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control audit 1.0.0

Discoverable Information

ID: NIST SP 800-53 Rev. 5 RA-5 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control audit 1.0.0

Privileged Access

ID: NIST SP 800-53 Rev. 5 RA-5 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control audit 1.0.0

Automated Trend Analyses

ID: NIST SP 800-53 Rev. 5 RA-5 (6) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control audit 1.0.0

Review Historic Audit Logs

ID: NIST SP 800-53 Rev. 5 RA-5 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control audit 1.0.0

Correlate Scanning Information

ID: NIST SP 800-53 Rev. 5 RA-5 (10) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control audit 1.0.0

System and Services Acquisition

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 SA-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures Microsoft implements this System and Services Acquisition control audit 1.0.0

Allocation of Resources

ID: NIST SP 800-53 Rev. 5 SA-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1561 - Allocation Of Resources Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1562 - Allocation Of Resources Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1563 - Allocation Of Resources Microsoft implements this System and Services Acquisition control audit 1.0.0

System Development Life Cycle

ID: NIST SP 800-53 Rev. 5 SA-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1564 - System Development Life Cycle Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1565 - System Development Life Cycle Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1566 - System Development Life Cycle Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1567 - System Development Life Cycle Microsoft implements this System and Services Acquisition control audit 1.0.0

Acquisition Process

ID: NIST SP 800-53 Rev. 5 SA-4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1568 - Acquisitions Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1569 - Acquisitions Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1570 - Acquisitions Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1571 - Acquisitions Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1572 - Acquisitions Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1573 - Acquisitions Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1574 - Acquisitions Process Microsoft implements this System and Services Acquisition control audit 1.0.0

Functional Properties of Controls

ID: NIST SP 800-53 Rev. 5 SA-4 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1575 - Acquisitions Process | Functional Properties Of Security Controls Microsoft implements this System and Services Acquisition control audit 1.0.0

Design and Implementation Information for Controls

ID: NIST SP 800-53 Rev. 5 SA-4 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1576 - Acquisitions Process | Design / Implementation Information For Security Controls Microsoft implements this System and Services Acquisition control audit 1.0.0

Continuous Monitoring Plan for Controls

ID: NIST SP 800-53 Rev. 5 SA-4 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1577 - Acquisitions Process | Continuous Monitoring Plan Microsoft implements this System and Services Acquisition control audit 1.0.0

Functions, Ports, Protocols, and Services in Use

ID: NIST SP 800-53 Rev. 5 SA-4 (9) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1578 - Acquisitions Process | Functions / Ports / Protocols / Services In Use Microsoft implements this System and Services Acquisition control audit 1.0.0

Use of Approved PIV Products

ID: NIST SP 800-53 Rev. 5 SA-4 (10) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1579 - Acquisitions Process | Use Of Approved Piv Products Microsoft implements this System and Services Acquisition control audit 1.0.0

System Documentation

ID: NIST SP 800-53 Rev. 5 SA-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1580 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1581 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1582 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1583 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1584 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0

Security and Privacy Engineering Principles

ID: NIST SP 800-53 Rev. 5 SA-8 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1585 - Security Engineering Principles Microsoft implements this System and Services Acquisition control audit 1.0.0

External System Services

ID: NIST SP 800-53 Rev. 5 SA-9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1586 - External Information System Services Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1587 - External Information System Services Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1588 - External Information System Services Microsoft implements this System and Services Acquisition control audit 1.0.0

Risk Assessments and Organizational Approvals

ID: NIST SP 800-53 Rev. 5 SA-9 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals Microsoft implements this System and Services Acquisition control audit 1.0.0

Identification of Functions, Ports, Protocols, and Services

ID: NIST SP 800-53 Rev. 5 SA-9 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1591 - External Information System Services | Identification Of Functions / Ports / Protocols... Microsoft implements this System and Services Acquisition control audit 1.0.0

Consistent Interests of Consumers and Providers

ID: NIST SP 800-53 Rev. 5 SA-9 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers Microsoft implements this System and Services Acquisition control audit 1.0.0

Processing, Storage, and Service Location

ID: NIST SP 800-53 Rev. 5 SA-9 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location Microsoft implements this System and Services Acquisition control audit 1.0.0

Processing, Storage, and Service Location

ID: NIST SP 800-53 Rev. 5 SA-9 (5) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1594 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1595 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1596 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1597 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1598 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0

Software and Firmware Integrity Verification

ID: NIST SP 800-53 Rev. 5 SA-10 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification Microsoft implements this System and Services Acquisition control audit 1.0.0

Developer Testing and Evaluation

ID: NIST SP 800-53 Rev. 5 SA-11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1600 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1601 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1602 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1603 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1604 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0

Static Code Analysis

ID: NIST SP 800-53 Rev. 5 SA-11 (1) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis Microsoft implements this System and Services Acquisition control audit 1.0.0

Threat Modeling and Vulnerability Analyses

ID: NIST SP 800-53 Rev. 5 SA-11 (2) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses Microsoft implements this System and Services Acquisition control audit 1.0.0

Dynamic Code Analysis

ID: NIST SP 800-53 Rev. 5 SA-11 (8) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis Microsoft implements this System and Services Acquisition control audit 1.0.0

Development Process, Standards, and Tools

ID: NIST SP 800-53 Rev. 5 SA-15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1609 - Development Process, Standards, And Tools Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1610 - Development Process, Standards, And Tools Microsoft implements this System and Services Acquisition control audit 1.0.0

Developer-provided Training

ID: NIST SP 800-53 Rev. 5 SA-16 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1611 - Developer-Provided Training Microsoft implements this System and Services Acquisition control audit 1.0.0

Developer Security and Privacy Architecture and Design

ID: NIST SP 800-53 Rev. 5 SA-17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1612 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1613 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1614 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0

System and Communications Protection

Policy and Procedures

ID: NIST SP 800-53 Rev. 5 SC-1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures Microsoft implements this System and Communications Protection control audit 1.0.0

Separation of System and User Functionality

ID: NIST SP 800-53 Rev. 5 SC-2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1617 - Application Partitioning Microsoft implements this System and Communications Protection control audit 1.0.0

Security Function Isolation

ID: NIST SP 800-53 Rev. 5 SC-3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1618 - Security Function Isolation Microsoft implements this System and Communications Protection control audit 1.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 1.1.1

Information in Shared System Resources

ID: NIST SP 800-53 Rev. 5 SC-4 Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1619 - Information In Shared Resources Microsoft implements this System and Communications Protection control audit 1.0.0

Denial-of-service Protection

ID: NIST SP 800-53 Rev. 5 SC-5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.0
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1620 - Denial Of Service Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0

Resource Availability

ID: NIST SP 800-53 Rev. 5 SC-6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1621 - Resource Availability Microsoft implements this System and Communications Protection control audit 1.0.0

Boundary Protection

ID: NIST SP 800-53 Rev. 5 SC-7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Disabled 1.0.1
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 1.1.1
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 3.0.1
Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit, Deny, Disabled 3.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Audit, Deny, Disabled 2.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1622 - Boundary Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1623 - Boundary Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1624 - Boundary Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0

Access Points

ID: NIST SP 800-53 Rev. 5 SC-7 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Disabled 1.0.1
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 1.1.1
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Disabled 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.2
Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Audit, Deny, Disabled 3.0.1
Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit, Deny, Disabled 3.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 3.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Audit, Deny, Disabled 2.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1625 - Boundary Protection | Access Points Microsoft implements this System and Communications Protection control audit 1.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 2.0.0

External Telecommunications Services

ID: NIST SP 800-53 Rev. 5 SC-7 (4) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0

Deny by Default ??? Allow by Exception

ID: NIST SP 800-53 Rev. 5 SC-7 (5) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception Microsoft implements this System and Communications Protection control audit 1.0.0

Split Tunneling for Remote Devices

ID: NIST SP 800-53 Rev. 5 SC-7 (7) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices Microsoft implements this System and Communications Protection control audit 1.0.0

Route Traffic to Authenticated Proxy Servers

ID: NIST SP 800-53 Rev. 5 SC-7 (8) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers Microsoft implements this System and Communications Protection control audit 1.0.0

Prevent Exfiltration

ID: NIST SP 800-53 Rev. 5 SC-7 (10) Ownership: Microsoft

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration Microsoft implements this System and Communications Protection control audit 1.0.0

Host-based Protection

ID: NIST SP 800-53 Rev. 5 SC-7 (12) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection Microsoft implements this System and Communications Protection control audit 1.0.0

Isolation of Security Tools, Mechanisms, and Support Components

ID: NIST SP 800-53 Rev. 5 SC-7 (13) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components Microsoft implements this System and Communications Protection control audit 1.0.0

Fail Secure

ID: NIST SP 800-53 Rev. 5 SC-7 (18) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1637 - Boundary Protection | Fail Secure Microsoft implements this System and Communications Protection control audit 1.0.0

Dynamic Isolation and Segregation

ID: NIST SP 800-53 Rev. 5 SC-7 (20) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation Microsoft implements this System and Communications Protection control audit 1.0.0

Isolation of System Components

ID: NIST SP 800-53 Rev. 5 SC-7 (21) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components Microsoft implements this System and Communications Protection control audit 1.0.0

Transmission Confidentiality and Integrity

ID: NIST SP 800-53 Rev. 5 SC-8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Audit, Deny, Disabled 1.0.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc audit, Audit, deny, Deny, disabled, Disabled 9.0.1
Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity Microsoft implements this System and Communications Protection control audit 1.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Windows web servers should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. AuditIfNotExists, Disabled 3.0.0

Cryptographic Protection

ID: NIST SP 800-53 Rev. 5 SC-8 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Audit, Deny, Disabled 1.0.0
Enforce SSL connection should be enabled for MySQL database servers Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Enforce SSL connection should be enabled for PostgreSQL database servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Audit, Disabled 1.0.1
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Function apps should require FTPS only Enable FTPS enforcement for enhanced security. AuditIfNotExists, Disabled 3.0.0
Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. AuditIfNotExists, Disabled 2.0.1
Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc audit, Audit, deny, Deny, disabled, Disabled 9.0.1
Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Windows web servers should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. AuditIfNotExists, Disabled 3.0.0

Network Disconnect

ID: NIST SP 800-53 Rev. 5 SC-10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1642 - Network Disconnect Microsoft implements this System and Communications Protection control audit 1.0.0

Cryptographic Key Establishment and Management

ID: NIST SP 800-53 Rev. 5 SC-12 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Audit, Deny, Disabled 1.0.0-preview
[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. Audit, Deny, Disabled 1.0.0-preview
Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. Audit, Deny, Disabled 1.0.0
Azure Batch account should use customer-managed keys to encrypt data Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Audit, Deny, Disabled 1.0.1
Azure Container Instance container group should use customer-managed key for encryption Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled, Deny 1.0.0
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. Audit, Deny, Disabled 1.0.0
Azure Data Explorer encryption at rest should use a customer-managed key Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Audit, Deny, Disabled 1.0.0
Azure data factories should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Audit, Deny, Disabled 1.0.1
Azure HDInsight clusters should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. Audit, Deny, Disabled 1.0.1
Azure HDInsight clusters should use encryption at host to encrypt data at rest Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Audit, Deny, Disabled 1.0.0
Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Audit, Deny, Disabled 1.0.3
Azure Monitor Logs clusters should be encrypted with customer-managed key Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Stream Analytics jobs should use customer-managed keys to encrypt data Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Synapse workspaces should use customer-managed keys to encrypt data at rest Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. Audit, Deny, Disabled 1.0.0
Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1
Cognitive Services accounts should enable data encryption with a customer-managed key Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Audit, Deny, Disabled 2.0.0
Container registries should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Audit, Deny, Disabled 1.1.2
Event Hub namespaces should use a customer-managed key for encryption Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. Audit, Disabled 1.0.0
Logic Apps Integration Service Environment should be encrypted with customer-managed keys Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Audit, Deny, Disabled 1.0.0
Managed disks should be double encrypted with both platform-managed and customer-managed keys High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Audit, Deny, Disabled 1.0.0
Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management Microsoft implements this System and Communications Protection control audit 1.0.0
OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Audit, Deny, Disabled 3.0.0
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Service Bus Premium namespaces should use a customer-managed key for encryption Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. Audit, Disabled 1.0.0
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.0
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.1
Storage account encryption scopes should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. Audit, Deny, Disabled 1.0.0
Storage accounts should use customer-managed key for encryption Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Audit, Disabled 1.0.3

Availability

ID: NIST SP 800-53 Rev. 5 SC-12 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability Microsoft implements this System and Communications Protection control audit 1.0.0

Symmetric Keys

ID: NIST SP 800-53 Rev. 5 SC-12 (2) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys Microsoft implements this System and Communications Protection control audit 1.0.0

Asymmetric Keys

ID: NIST SP 800-53 Rev. 5 SC-12 (3) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys Microsoft implements this System and Communications Protection control audit 1.0.0

Cryptographic Protection

ID: NIST SP 800-53 Rev. 5 SC-13 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1647 - Use of Cryptography Microsoft implements this System and Communications Protection control audit 1.0.0

Collaborative Computing Devices and Applications

ID: NIST SP 800-53 Rev. 5 SC-15 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1648 - Collaborative Computing Devices Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1649 - Collaborative Computing Devices Microsoft implements this System and Communications Protection control audit 1.0.0

Public Key Infrastructure Certificates

ID: NIST SP 800-53 Rev. 5 SC-17 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1650 - Public Key Infrastructure Certificates Microsoft implements this System and Communications Protection control audit 1.0.0

Mobile Code

ID: NIST SP 800-53 Rev. 5 SC-18 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1651 - Mobile Code Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1652 - Mobile Code Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1653 - Mobile Code Microsoft implements this System and Communications Protection control audit 1.0.0

Secure Name/address Resolution Service (authoritative Source)

ID: NIST SP 800-53 Rev. 5 SC-20 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source) Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source) Microsoft implements this System and Communications Protection control audit 1.0.0

Secure Name/address Resolution Service (recursive or Caching Resolver)

ID: NIST SP 800-53 Rev. 5 SC-21 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver) Microsoft implements this System and Communications Protection control audit 1.0.0

Architecture and Provisioning for Name/address Resolution Service

ID: NIST SP 800-53 Rev. 5 SC-22 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service Microsoft implements this System and Communications Protection control audit 1.0.0

Session Authenticity

ID: NIST SP 800-53 Rev. 5 SC-23 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1660 - Session Authenticity Microsoft implements this System and Communications Protection control audit 1.0.0

Invalidate Session Identifiers at Logout

ID: NIST SP 800-53 Rev. 5 SC-23 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout Microsoft implements this System and Communications Protection control audit 1.0.0

Fail in Known State

ID: NIST SP 800-53 Rev. 5 SC-24 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1662 - Fail In Known State Microsoft implements this System and Communications Protection control audit 1.0.0

Protection of Information at Rest

ID: NIST SP 800-53 Rev. 5 SC-28 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Audit, Disabled 1.0.1
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Audit, Deny, Disabled 1.0.0
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Audit, Deny, Disabled 2.0.0
Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 2.0.0
Microsoft Managed Control 1663 - Protection Of Information At Rest Microsoft implements this System and Communications Protection control audit 1.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Audit, Deny, Disabled 1.0.0
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Audit, Deny, Disabled 1.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison AuditIfNotExists, Disabled 2.0.3

Cryptographic Protection

ID: NIST SP 800-53 Rev. 5 SC-28 (1) Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Audit, Disabled 1.0.1
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Azure Data Box jobs should enable double encryption for data at rest on the device Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Audit, Deny, Disabled 1.0.0
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Disk encryption should be enabled on Azure Data Explorer Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Audit, Deny, Disabled 2.0.0
Double encryption should be enabled on Azure Data Explorer Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Audit, Deny, Disabled 2.0.0
Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Storage accounts should have infrastructure encryption Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Audit, Deny, Disabled 1.0.0
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Audit, Deny, Disabled 1.0.1
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Audit, Deny, Disabled 1.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison AuditIfNotExists, Disabled 2.0.3

Process Isolation

ID: NIST SP 800-53 Rev. 5 SC-39 Ownership: Shared

Name