Details of the NIST SP 800-53 Rev. 5 (Azure Government) Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in NIST SP 800-53 Rev. 5 (Azure Government). For more information about this compliance standard, see NIST SP 800-53 Rev. 5. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.
The following mappings are to the NIST SP 800-53 Rev. 5 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Access Control
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 AC-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1000 - Access Control Policy And Procedures Requirements | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1001 - Access Control Policy And Procedures Requirements | Microsoft implements this Access Control control | audit | 1.0.0 |
Account Management
ID: NIST SP 800-53 Rev. 5 AC-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Managed Control 1002 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1003 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1004 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1005 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1006 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1007 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1008 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1009 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1010 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1011 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1012 - Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination | Microsoft implements this Access Control control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Automated System Account Management
ID: NIST SP 800-53 Rev. 5 AC-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Microsoft Managed Control 1013 - Account Management | Automated System Account Management | Microsoft implements this Access Control control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Automated Temporary and Emergency Account Management
ID: NIST SP 800-53 Rev. 5 AC-2 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts | Microsoft implements this Access Control control | audit | 1.0.0 |
Disable Accounts
ID: NIST SP 800-53 Rev. 5 AC-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts | Microsoft implements this Access Control control | audit | 1.0.0 |
Automated Audit Actions
ID: NIST SP 800-53 Rev. 5 AC-2 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1016 - Account Management | Automated Audit Actions | Microsoft implements this Access Control control | audit | 1.0.0 |
Inactivity Logout
ID: NIST SP 800-53 Rev. 5 AC-2 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1017 - Account Management | Inactivity Logout | Microsoft implements this Access Control control | audit | 1.0.0 |
Privileged User Accounts
ID: NIST SP 800-53 Rev. 5 AC-2 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Microsoft Managed Control 1018 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1019 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1020 - Account Management | Role-Based Schemes | Microsoft implements this Access Control control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Restrictions on Use of Shared and Group Accounts
ID: NIST SP 800-53 Rev. 5 AC-2 (9) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts | Microsoft implements this Access Control control | audit | 1.0.0 |
Usage Conditions
ID: NIST SP 800-53 Rev. 5 AC-2 (11) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1023 - Account Management | Usage Conditions | Microsoft implements this Access Control control | audit | 1.0.0 |
Account Monitoring for Atypical Usage
ID: NIST SP 800-53 Rev. 5 AC-2 (12) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage | Microsoft implements this Access Control control | audit | 1.0.0 |
Disable Accounts for High-risk Individuals
ID: NIST SP 800-53 Rev. 5 AC-2 (13) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals | Microsoft implements this Access Control control | audit | 1.0.0 |
Access Enforcement
ID: NIST SP 800-53 Rev. 5 AC-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | AuditIfNotExists, Disabled | 1.4.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.4.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1027 - Access Enforcement | Microsoft implements this Access Control control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
| Virtual machines should be migrated to new Azure Resource Manager resources | Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management | Audit, Deny, Disabled | 1.0.0 |
Role-based Access Control
ID: NIST SP 800-53 Rev. 5 AC-3 (7) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.3 |
Information Flow Enforcement
ID: NIST SP 800-53 Rev. 5 AC-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled | 1.0.2 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.0 |
| Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Audit, Deny, Disabled | 3.2.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Audit, Deny, Disabled | 1.4.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1028 - Information Flow Enforcement | Microsoft implements this Access Control control | audit | 1.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
Dynamic Information Flow Control
ID: NIST SP 800-53 Rev. 5 AC-4 (3) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
Security and Privacy Policy Filters
ID: NIST SP 800-53 Rev. 5 AC-4 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters | Microsoft implements this Access Control control | audit | 1.0.0 |
Physical or Logical Separation of Information Flows
ID: NIST SP 800-53 Rev. 5 AC-4 (21) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows | Microsoft implements this Access Control control | audit | 1.0.0 |
Separation of Duties
ID: NIST SP 800-53 Rev. 5 AC-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1031 - Separation Of Duties | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1032 - Separation Of Duties | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1033 - Separation Of Duties | Microsoft implements this Access Control control | audit | 1.0.0 |
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Least Privilege
ID: NIST SP 800-53 Rev. 5 AC-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Microsoft Managed Control 1034 - Least Privilege | Microsoft implements this Access Control control | audit | 1.0.0 |
Authorize Access to Security Functions
ID: NIST SP 800-53 Rev. 5 AC-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions | Microsoft implements this Access Control control | audit | 1.0.0 |
Non-privileged Access for Nonsecurity Functions
ID: NIST SP 800-53 Rev. 5 AC-6 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions | Microsoft implements this Access Control control | audit | 1.0.0 |
Network Access to Privileged Commands
ID: NIST SP 800-53 Rev. 5 AC-6 (3) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands | Microsoft implements this Access Control control | audit | 1.0.0 |
Privileged Accounts
ID: NIST SP 800-53 Rev. 5 AC-6 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts | Microsoft implements this Access Control control | audit | 1.0.0 |
Review of User Privileges
ID: NIST SP 800-53 Rev. 5 AC-6 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
| Audit usage of custom RBAC roles | Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling | Audit, Disabled | 1.0.1 |
| Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges | Microsoft implements this Access Control control | audit | 1.0.0 |
Privilege Levels for Code Execution
ID: NIST SP 800-53 Rev. 5 AC-6 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution | Microsoft implements this Access Control control | audit | 1.0.0 |
Log Use of Privileged Functions
ID: NIST SP 800-53 Rev. 5 AC-6 (9) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions | Microsoft implements this Access Control control | audit | 1.0.0 |
Prohibit Non-privileged Users from Executing Privileged Functions
ID: NIST SP 800-53 Rev. 5 AC-6 (10) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions | Microsoft implements this Access Control control | audit | 1.0.0 |
Unsuccessful Logon Attempts
ID: NIST SP 800-53 Rev. 5 AC-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1044 - Unsuccessful Logon Attempts | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1045 - Unsuccessful Logon Attempts | Microsoft implements this Access Control control | audit | 1.0.0 |
Purge or Wipe Mobile Device
ID: NIST SP 800-53 Rev. 5 AC-7 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1046 - Unsuccessful Logon Attempts | Purge / Wipe Mobile Device | Microsoft implements this Access Control control | audit | 1.0.0 |
System Use Notification
ID: NIST SP 800-53 Rev. 5 AC-8 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1047 - System Use Notification | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1048 - System Use Notification | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1049 - System Use Notification | Microsoft implements this Access Control control | audit | 1.0.0 |
Concurrent Session Control
ID: NIST SP 800-53 Rev. 5 AC-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1050 - Concurrent Session Control | Microsoft implements this Access Control control | audit | 1.0.0 |
Device Lock
ID: NIST SP 800-53 Rev. 5 AC-11 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1051 - Session Lock | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1052 - Session Lock | Microsoft implements this Access Control control | audit | 1.0.0 |
Pattern-hiding Displays
ID: NIST SP 800-53 Rev. 5 AC-11 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays | Microsoft implements this Access Control control | audit | 1.0.0 |
Session Termination
ID: NIST SP 800-53 Rev. 5 AC-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1054 - Session Termination | Microsoft implements this Access Control control | audit | 1.0.0 |
User-initiated Logouts
ID: NIST SP 800-53 Rev. 5 AC-12 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays | Microsoft implements this Access Control control | audit | 1.0.0 |
Permitted Actions Without Identification or Authentication
ID: NIST SP 800-53 Rev. 5 AC-14 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication | Microsoft implements this Access Control control | audit | 1.0.0 |
Security and Privacy Attributes
ID: NIST SP 800-53 Rev. 5 AC-16 Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
Remote Access
ID: NIST SP 800-53 Rev. 5 AC-17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 1.4.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.4.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| Microsoft Managed Control 1059 - Remote Access | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1060 - Remote Access | Microsoft implements this Access Control control | audit | 1.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
Monitoring and Control
ID: NIST SP 800-53 Rev. 5 AC-17 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 1.4.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.4.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control | Microsoft implements this Access Control control | audit | 1.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
Protection of Confidentiality and Integrity Using Encryption
ID: NIST SP 800-53 Rev. 5 AC-17 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption | Microsoft implements this Access Control control | audit | 1.0.0 |
Managed Access Control Points
ID: NIST SP 800-53 Rev. 5 AC-17 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points | Microsoft implements this Access Control control | audit | 1.0.0 |
Privileged Commands and Access
ID: NIST SP 800-53 Rev. 5 AC-17 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access | Microsoft implements this Access Control control | audit | 1.0.0 |
Disconnect or Disable Access
ID: NIST SP 800-53 Rev. 5 AC-17 (9) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access | Microsoft implements this Access Control control | audit | 1.0.0 |
Wireless Access
ID: NIST SP 800-53 Rev. 5 AC-18 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1067 - Wireless Access Restrictions | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1068 - Wireless Access Restrictions | Microsoft implements this Access Control control | audit | 1.0.0 |
Authentication and Encryption
ID: NIST SP 800-53 Rev. 5 AC-18 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1069 - Wireless Access Restrictions | Authentication And Encryption | Microsoft implements this Access Control control | audit | 1.0.0 |
Disable Wireless Networking
ID: NIST SP 800-53 Rev. 5 AC-18 (3) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1070 - Wireless Access Restrictions | Disable Wireless Networking | Microsoft implements this Access Control control | audit | 1.0.0 |
Restrict Configurations by Users
ID: NIST SP 800-53 Rev. 5 AC-18 (4) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1071 - Wireless Access Restrictions | Restrict Configurations By Users | Microsoft implements this Access Control control | audit | 1.0.0 |
Antennas and Transmission Power Levels
ID: NIST SP 800-53 Rev. 5 AC-18 (5) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1072 - Wireless Access Restrictions | Antennas / Transmission Power Levels | Microsoft implements this Access Control control | audit | 1.0.0 |
Access Control for Mobile Devices
ID: NIST SP 800-53 Rev. 5 AC-19 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1073 - Access Control for Portable And Mobile Systems | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1074 - Access Control for Portable And Mobile Systems | Microsoft implements this Access Control control | audit | 1.0.0 |
Full Device or Container-based Encryption
ID: NIST SP 800-53 Rev. 5 AC-19 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1075 - Access Control for Portable And Mobile Systems | Full Device / Container-Based Encryption | Microsoft implements this Access Control control | audit | 1.0.0 |
Use of External Systems
ID: NIST SP 800-53 Rev. 5 AC-20 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1076 - Use Of External Information Systems | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1077 - Use Of External Information Systems | Microsoft implements this Access Control control | audit | 1.0.0 |
Limits on Authorized Use
ID: NIST SP 800-53 Rev. 5 AC-20 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use | Microsoft implements this Access Control control | audit | 1.0.0 |
Portable Storage Devices ??? Restricted Use
ID: NIST SP 800-53 Rev. 5 AC-20 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices | Microsoft implements this Access Control control | audit | 1.0.0 |
Information Sharing
ID: NIST SP 800-53 Rev. 5 AC-21 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1081 - Information Sharing | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1082 - Information Sharing | Microsoft implements this Access Control control | audit | 1.0.0 |
Publicly Accessible Content
ID: NIST SP 800-53 Rev. 5 AC-22 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1083 - Publicly Accessible Content | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1084 - Publicly Accessible Content | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1085 - Publicly Accessible Content | Microsoft implements this Access Control control | audit | 1.0.0 |
| Microsoft Managed Control 1086 - Publicly Accessible Content | Microsoft implements this Access Control control | audit | 1.0.0 |
Awareness and Training
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 AT-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Literacy Training and Awareness
ID: NIST SP 800-53 Rev. 5 AT-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1089 - Security Awareness | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1090 - Security Awareness | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1091 - Security Awareness | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Insider Threat
ID: NIST SP 800-53 Rev. 5 AT-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1092 - Security Awareness | Insider Threat | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Role-based Training
ID: NIST SP 800-53 Rev. 5 AT-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1093 - Role-Based Security Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1094 - Role-Based Security Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1095 - Role-Based Security Training | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Practical Exercises
ID: NIST SP 800-53 Rev. 5 AT-3 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Training Records
ID: NIST SP 800-53 Rev. 5 AT-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1098 - Security Training Records | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
| Microsoft Managed Control 1099 - Security Training Records | Microsoft implements this Awareness and Training control | audit | 1.0.0 |
Audit and Accountability
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 AU-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Event Logging
ID: NIST SP 800-53 Rev. 5 AU-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1102 - Audit Events | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1103 - Audit Events | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1104 - Audit Events | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1105 - Audit Events | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1106 - Audit Events | Reviews And Updates | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Content of Audit Records
ID: NIST SP 800-53 Rev. 5 AU-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1107 - Content Of Audit Records | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Additional Audit Information
ID: NIST SP 800-53 Rev. 5 AU-3 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Log Storage Capacity
ID: NIST SP 800-53 Rev. 5 AU-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1110 - Audit Storage Capacity | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Response to Audit Logging Process Failures
ID: NIST SP 800-53 Rev. 5 AU-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1111 - Response To Audit Processing Failures | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1112 - Response To Audit Processing Failures | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Storage Capacity Warning
ID: NIST SP 800-53 Rev. 5 AU-5 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Real-time Alerts
ID: NIST SP 800-53 Rev. 5 AU-5 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Record Review, Analysis, and Reporting
ID: NIST SP 800-53 Rev. 5 AU-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
Automated Process Integration
ID: NIST SP 800-53 Rev. 5 AU-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Correlate Audit Record Repositories
ID: NIST SP 800-53 Rev. 5 AU-6 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Central Review and Analysis
ID: NIST SP 800-53 Rev. 5 AU-6 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.2 |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Integrated Analysis of Audit Records
ID: NIST SP 800-53 Rev. 5 AU-6 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.2 |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Correlation with Physical Monitoring
ID: NIST SP 800-53 Rev. 5 AU-6 (6) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Permitted Actions
ID: NIST SP 800-53 Rev. 5 AU-6 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Record Reduction and Report Generation
ID: NIST SP 800-53 Rev. 5 AU-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1124 - Audit Reduction And Report Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1125 - Audit Reduction And Report Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Automatic Processing
ID: NIST SP 800-53 Rev. 5 AU-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Time Stamps
ID: NIST SP 800-53 Rev. 5 AU-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1127 - Time Stamps | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1128 - Time Stamps | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Protection of Audit Information
ID: NIST SP 800-53 Rev. 5 AU-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1131 - Protection Of Audit Information | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Store on Separate Physical Systems or Components
ID: NIST SP 800-53 Rev. 5 AU-9 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 5 AU-9 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Access by Subset of Privileged Users
ID: NIST SP 800-53 Rev. 5 AU-9 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Non-repudiation
ID: NIST SP 800-53 Rev. 5 AU-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1135 - Non-Repudiation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Audit Record Retention
ID: NIST SP 800-53 Rev. 5 AU-11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1136 - Audit Record Retention | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| SQL servers with auditing to storage account destination should be configured with 90 days retention or higher | For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. | AuditIfNotExists, Disabled | 3.0.0 |
Audit Record Generation
ID: NIST SP 800-53 Rev. 5 AU-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.2 |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1137 - Audit Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1138 - Audit Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Microsoft Managed Control 1139 - Audit Generation | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
System-wide and Time-correlated Audit Trail
ID: NIST SP 800-53 Rev. 5 AU-12 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| App Service apps should have resource logs enabled | Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. | AuditIfNotExists, Disabled | 2.0.1 |
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.2 |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Resource logs in Azure Data Lake Store should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Azure Stream Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Batch accounts should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Data Lake Analytics should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Event Hub should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Key Vault should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Logic Apps should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.1.0 |
| Resource logs in Search services should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Resource logs in Service Bus should be enabled | Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised | AuditIfNotExists, Disabled | 5.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
Changes by Authorized Individuals
ID: NIST SP 800-53 Rev. 5 AU-12 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals | Microsoft implements this Audit and Accountability control | audit | 1.0.0 |
Assessment, Authorization, and Monitoring
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 CA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1142 - Certification, Authorization, Security Assessment Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1143 - Certification, Authorization, Security Assessment Policy And Procedures | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Control Assessments
ID: NIST SP 800-53 Rev. 5 CA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1144 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1145 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1146 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1147 - Security Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Independent Assessors
ID: NIST SP 800-53 Rev. 5 CA-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1148 - Security Assessments | Independent Assessors | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Specialized Assessments
ID: NIST SP 800-53 Rev. 5 CA-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Leveraging Results from External Organizations
ID: NIST SP 800-53 Rev. 5 CA-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1150 - Security Assessments | External Organizations | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Information Exchange
ID: NIST SP 800-53 Rev. 5 CA-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1151 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1152 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1153 - System Interconnections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Plan of Action and Milestones
ID: NIST SP 800-53 Rev. 5 CA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1156 - Plan Of Action And Milestones | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1157 - Plan Of Action And Milestones | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Authorization
ID: NIST SP 800-53 Rev. 5 CA-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1158 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1159 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1160 - Security Authorization | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Continuous Monitoring
ID: NIST SP 800-53 Rev. 5 CA-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1161 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1162 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1163 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1164 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1165 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1166 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1167 - Continuous Monitoring | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Independent Assessment
ID: NIST SP 800-53 Rev. 5 CA-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Trend Analyses
ID: NIST SP 800-53 Rev. 5 CA-7 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Penetration Testing
ID: NIST SP 800-53 Rev. 5 CA-8 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1170 - Penetration Testing | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Independent Penetration Testing Agent or Team
ID: NIST SP 800-53 Rev. 5 CA-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Internal System Connections
ID: NIST SP 800-53 Rev. 5 CA-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1172 - Internal System Connections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1173 - Internal System Connections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
Configuration Management
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 CM-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1174 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1175 - Configuration Management Policy And Procedures | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Baseline Configuration
ID: NIST SP 800-53 Rev. 5 CM-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1176 - Baseline Configuration | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automation Support for Accuracy and Currency
ID: NIST SP 800-53 Rev. 5 CM-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Retention of Previous Configurations
ID: NIST SP 800-53 Rev. 5 CM-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Configure Systems and Components for High-risk Areas
ID: NIST SP 800-53 Rev. 5 CM-2 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Configuration Change Control
ID: NIST SP 800-53 Rev. 5 CM-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1184 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1185 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1186 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1187 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1188 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1189 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1190 - Configuration Change Control | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automated Documentation, Notification, and Prohibition of Changes
ID: NIST SP 800-53 Rev. 5 CM-3 (1) Ownership: Shared
Testing, Validation, and Documentation of Changes
ID: NIST SP 800-53 Rev. 5 CM-3 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Security and Privacy Representatives
ID: NIST SP 800-53 Rev. 5 CM-3 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1198 - Configuration Change Control | Security Representative | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Cryptography Management
ID: NIST SP 800-53 Rev. 5 CM-3 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Impact Analyses
ID: NIST SP 800-53 Rev. 5 CM-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1200 - Security Impact Analysis | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Separate Test Environments
ID: NIST SP 800-53 Rev. 5 CM-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Access Restrictions for Change
ID: NIST SP 800-53 Rev. 5 CM-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1202 - Access Restrictions For Change | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automated Access Enforcement and Audit Records
ID: NIST SP 800-53 Rev. 5 CM-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Privilege Limitation for Production and Operation
ID: NIST SP 800-53 Rev. 5 CM-5 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Configuration Settings
ID: NIST SP 800-53 Rev. 5 CM-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. | Audit, Disabled | 3.1.0-deprecated |
| App Service apps should have Client Certificates (Incoming client certificates) enabled | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 |
| Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 |
| Function apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. | AuditIfNotExists, Disabled | 2.0.0 |
| Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 10.1.0 |
| Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.1.0 |
| Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.1 |
| Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.0 |
| Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 10.1.1 |
| Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.0 |
| Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.1 |
| Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.1 |
| Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.1.0 |
| Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.1.0 |
| Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 10.1.0 |
| Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.1.0 |
| Linux machines should meet requirements for the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 1.5.0 |
| Microsoft Managed Control 1208 - Configuration Settings | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1209 - Configuration Settings | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1210 - Configuration Settings | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1211 - Configuration Settings | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Windows machines should meet requirements of the Azure compute security baseline | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. | AuditIfNotExists, Disabled | 1.0.0 |
Automated Management, Application, and Verification
ID: NIST SP 800-53 Rev. 5 CM-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Respond to Unauthorized Changes
ID: NIST SP 800-53 Rev. 5 CM-6 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Least Functionality
ID: NIST SP 800-53 Rev. 5 CM-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Managed Control 1214 - Least Functionality | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1215 - Least Functionality | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Periodic Review
ID: NIST SP 800-53 Rev. 5 CM-7 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1216 - Least Functionality | Periodic Review | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1217 - Least Functionality | Periodic Review | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Prevent Program Execution
ID: NIST SP 800-53 Rev. 5 CM-7 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Authorized Software ??? Allow-by-exception
ID: NIST SP 800-53 Rev. 5 CM-7 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting | Microsoft implements this Configuration Management control | audit | 1.0.0 |
System Component Inventory
ID: NIST SP 800-53 Rev. 5 CM-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1222 - Information System Component Inventory | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1223 - Information System Component Inventory | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Updates During Installation and Removal
ID: NIST SP 800-53 Rev. 5 CM-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automated Maintenance
ID: NIST SP 800-53 Rev. 5 CM-8 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Automated Unauthorized Component Detection
ID: NIST SP 800-53 Rev. 5 CM-8 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Accountability Information
ID: NIST SP 800-53 Rev. 5 CM-8 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Configuration Management Plan
ID: NIST SP 800-53 Rev. 5 CM-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1230 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1231 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1232 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1233 - Configuration Management Plan | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Software Usage Restrictions
ID: NIST SP 800-53 Rev. 5 CM-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1234 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1235 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1236 - Software Usage Restrictions | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Open-source Software
ID: NIST SP 800-53 Rev. 5 CM-10 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
User-installed Software
ID: NIST SP 800-53 Rev. 5 CM-11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. | AuditIfNotExists, Disabled | 3.0.0 |
| Allowlist rules in your adaptive application control policy should be updated | Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1238 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1239 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
| Microsoft Managed Control 1240 - User-Installed Software | Microsoft implements this Configuration Management control | audit | 1.0.0 |
Contingency Planning
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 CP-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Contingency Plan
ID: NIST SP 800-53 Rev. 5 CP-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1244 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1245 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1246 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1247 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1248 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1249 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1250 - Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Coordinate with Related Plans
ID: NIST SP 800-53 Rev. 5 CP-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Capacity Planning
ID: NIST SP 800-53 Rev. 5 CP-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Resume Mission and Business Functions
ID: NIST SP 800-53 Rev. 5 CP-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Continue Mission and Business Functions
ID: NIST SP 800-53 Rev. 5 CP-2 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Identify Critical Assets
ID: NIST SP 800-53 Rev. 5 CP-2 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Contingency Training
ID: NIST SP 800-53 Rev. 5 CP-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1257 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1258 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1259 - Contingency Training | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Simulated Events
ID: NIST SP 800-53 Rev. 5 CP-3 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1260 - Contingency Training | Simulated Events | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Contingency Plan Testing
ID: NIST SP 800-53 Rev. 5 CP-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1261 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1262 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1263 - Contingency Plan Testing | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Coordinate with Related Plans
ID: NIST SP 800-53 Rev. 5 CP-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Alternate Processing Site
ID: NIST SP 800-53 Rev. 5 CP-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Alternate Storage Site
ID: NIST SP 800-53 Rev. 5 CP-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant storage should be enabled for Storage Accounts | Use geo-redundancy to create highly available applications | Audit, Disabled | 1.0.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1267 - Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1268 - Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Separation from Primary Site
ID: NIST SP 800-53 Rev. 5 CP-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant storage should be enabled for Storage Accounts | Use geo-redundancy to create highly available applications | Audit, Disabled | 1.0.0 |
| Long-term geo-redundant backup should be enabled for Azure SQL Databases | This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Recovery Time and Recovery Point Objectives
ID: NIST SP 800-53 Rev. 5 CP-6 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Accessibility
ID: NIST SP 800-53 Rev. 5 CP-6 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Alternate Processing Site
ID: NIST SP 800-53 Rev. 5 CP-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 |
| Microsoft Managed Control 1272 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1273 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1274 - Alternate Processing Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Separation from Primary Site
ID: NIST SP 800-53 Rev. 5 CP-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Accessibility
ID: NIST SP 800-53 Rev. 5 CP-7 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Priority of Service
ID: NIST SP 800-53 Rev. 5 CP-7 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Preparation for Use
ID: NIST SP 800-53 Rev. 5 CP-7 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Telecommunications Services
ID: NIST SP 800-53 Rev. 5 CP-8 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1279 - Telecommunications Services | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Priority of Service Provisions
ID: NIST SP 800-53 Rev. 5 CP-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Single Points of Failure
ID: NIST SP 800-53 Rev. 5 CP-8 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Separation of Primary and Alternate Providers
ID: NIST SP 800-53 Rev. 5 CP-8 (3) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Provider Contingency Plan
ID: NIST SP 800-53 Rev. 5 CP-8 (4) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
System Backup
ID: NIST SP 800-53 Rev. 5 CP-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Backup should be enabled for Virtual Machines | Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. | AuditIfNotExists, Disabled | 3.0.0 |
| Geo-redundant backup should be enabled for Azure Database for MariaDB | Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for MySQL | Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Key vaults should have deletion protection enabled | Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. | Audit, Deny, Disabled | 2.1.0 |
| Key vaults should have soft delete enabled | Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. | Audit, Deny, Disabled | 3.0.0 |
| Microsoft Managed Control 1287 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1288 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1289 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1290 - Information System Backup | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Testing for Reliability and Integrity
ID: NIST SP 800-53 Rev. 5 CP-9 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Test Restoration Using Sampling
ID: NIST SP 800-53 Rev. 5 CP-9 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Separate Storage for Critical Information
ID: NIST SP 800-53 Rev. 5 CP-9 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Transfer to Alternate Storage Site
ID: NIST SP 800-53 Rev. 5 CP-9 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
System Recovery and Reconstitution
ID: NIST SP 800-53 Rev. 5 CP-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1295 - Information System Recovery And Reconstitution | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Transaction Recovery
ID: NIST SP 800-53 Rev. 5 CP-10 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Restore Within Time Period
ID: NIST SP 800-53 Rev. 5 CP-10 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period | Microsoft implements this Contingency Planning control | audit | 1.0.0 |
Identification and Authentication
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 IA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Identification and Authentication (organizational Users)
ID: NIST SP 800-53 Rev. 5 IA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1300 - User Identification And Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Multi-factor Authentication to Privileged Accounts
ID: NIST SP 800-53 Rev. 5 IA-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Managed Control 1301 - User Identification And Authentication | Network Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1303 - User Identification And Authentication | Local Access To Privileged Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Multi-factor Authentication to Non-privileged Accounts
ID: NIST SP 800-53 Rev. 5 IA-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Managed Control 1302 - User Identification And Authentication | Network Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1304 - User Identification And Authentication | Local Access To Non-Privileged Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Individual Authentication with Group Authentication
ID: NIST SP 800-53 Rev. 5 IA-2 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1305 - User Identification And Authentication | Group Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Access to Accounts ??? Replay Resistant
ID: NIST SP 800-53 Rev. 5 IA-2 (8) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay... | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1307 - User Identification And Authentication | Network Access To Non-Privileged Accounts - Replay... | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Acceptance of PIV Credentials
ID: NIST SP 800-53 Rev. 5 IA-2 (12) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1309 - User Identification And Authentication | Acceptance Of Piv Credentials | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Device Identification and Authentication
ID: NIST SP 800-53 Rev. 5 IA-3 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1310 - Device Identification And Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Identifier Management
ID: NIST SP 800-53 Rev. 5 IA-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 |
| App Service apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Azure AI Services resources should have key access disabled (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Audit, Deny, Disabled | 1.1.0 |
| Function apps should use managed identity | Use a managed identity for enhanced authentication security | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1311 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1312 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1313 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1314 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1315 - Identifier Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 |
Identify User Status
ID: NIST SP 800-53 Rev. 5 IA-4 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1316 - Identifier Management | Identify User Status | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Authenticator Management
ID: NIST SP 800-53 Rev. 5 IA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 1.4.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.4.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Microsoft Managed Control 1317 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1318 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1319 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1320 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1321 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1322 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1323 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1324 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1325 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1326 - Authenticator Management | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Password-based Authentication
ID: NIST SP 800-53 Rev. 5 IA-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 1.3.0 |
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 1.4.0 |
| Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | AuditIfNotExists, Disabled | 1.1.0 |
| Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | AuditIfNotExists, Disabled | 1.1.0 |
| Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | AuditIfNotExists, Disabled | 1.1.0 |
| Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | AuditIfNotExists, Disabled | 1.0.0 |
| Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | AuditIfNotExists, Disabled | 1.1.0 |
| Audit Windows machines that do not store passwords using reversible encryption | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption | AuditIfNotExists, Disabled | 1.0.0 |
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.4.0 |
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.2.0 |
| Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Public Key-based Authentication
ID: NIST SP 800-53 Rev. 5 IA-5 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Protection of Authenticators
ID: NIST SP 800-53 Rev. 5 IA-5 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
No Embedded Unencrypted Static Authenticators
ID: NIST SP 800-53 Rev. 5 IA-5 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Multiple System Accounts
ID: NIST SP 800-53 Rev. 5 IA-5 (8) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Expiration of Cached Authenticators
ID: NIST SP 800-53 Rev. 5 IA-5 (13) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Authentication Feedback
ID: NIST SP 800-53 Rev. 5 IA-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1344 - Authenticator Feedback | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Cryptographic Module Authentication
ID: NIST SP 800-53 Rev. 5 IA-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1345 - Cryptographic Module Authentication | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Identification and Authentication (non-organizational Users)
ID: NIST SP 800-53 Rev. 5 IA-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users) | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Acceptance of PIV Credentials from Other Agencies
ID: NIST SP 800-53 Rev. 5 IA-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1347 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv Credentials... | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Acceptance of External Authenticators
ID: NIST SP 800-53 Rev. 5 IA-8 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1348 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Third-Party... | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
| Microsoft Managed Control 1349 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Approved Products | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Use of Defined Profiles
ID: NIST SP 800-53 Rev. 5 IA-8 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1350 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Issued Profiles | Microsoft implements this Identification and Authentication control | audit | 1.0.0 |
Incident Response
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 IR-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1351 - Incident Response Policy And Procedures | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1352 - Incident Response Policy And Procedures | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Response Training
ID: NIST SP 800-53 Rev. 5 IR-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1353 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1354 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1355 - Incident Response Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
Simulated Events
ID: NIST SP 800-53 Rev. 5 IR-2 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1356 - Incident Response Training | Simulated Events | Microsoft implements this Incident Response control | audit | 1.0.0 |
Automated Training Environments
ID: NIST SP 800-53 Rev. 5 IR-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Response Testing
ID: NIST SP 800-53 Rev. 5 IR-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1358 - Incident Response Testing | Microsoft implements this Incident Response control | audit | 1.0.0 |
Coordination with Related Plans
ID: NIST SP 800-53 Rev. 5 IR-3 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Handling
ID: NIST SP 800-53 Rev. 5 IR-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1360 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1361 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1362 - Incident Handling | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Automated Incident Handling Processes
ID: NIST SP 800-53 Rev. 5 IR-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes | Microsoft implements this Incident Response control | audit | 1.0.0 |
Dynamic Reconfiguration
ID: NIST SP 800-53 Rev. 5 IR-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration | Microsoft implements this Incident Response control | audit | 1.0.0 |
Continuity of Operations
ID: NIST SP 800-53 Rev. 5 IR-4 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations | Microsoft implements this Incident Response control | audit | 1.0.0 |
Information Correlation
ID: NIST SP 800-53 Rev. 5 IR-4 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1366 - Incident Handling | Information Correlation | Microsoft implements this Incident Response control | audit | 1.0.0 |
Insider Threats
ID: NIST SP 800-53 Rev. 5 IR-4 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities | Microsoft implements this Incident Response control | audit | 1.0.0 |
Correlation with External Organizations
ID: NIST SP 800-53 Rev. 5 IR-4 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Monitoring
ID: NIST SP 800-53 Rev. 5 IR-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1369 - Incident Monitoring | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Automated Tracking, Data Collection, and Analysis
ID: NIST SP 800-53 Rev. 5 IR-5 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Reporting
ID: NIST SP 800-53 Rev. 5 IR-6 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1371 - Incident Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1372 - Incident Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
Automated Reporting
ID: NIST SP 800-53 Rev. 5 IR-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting | Microsoft implements this Incident Response control | audit | 1.0.0 |
Vulnerabilities Related to Incidents
ID: NIST SP 800-53 Rev. 5 IR-6 (2) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Incident Response Assistance
ID: NIST SP 800-53 Rev. 5 IR-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1374 - Incident Response Assistance | Microsoft implements this Incident Response control | audit | 1.0.0 |
Automation Support for Availability of Information and Support
ID: NIST SP 800-53 Rev. 5 IR-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support | Microsoft implements this Incident Response control | audit | 1.0.0 |
Coordination with External Providers
ID: NIST SP 800-53 Rev. 5 IR-7 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers | Microsoft implements this Incident Response control | audit | 1.0.0 |
Incident Response Plan
ID: NIST SP 800-53 Rev. 5 IR-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1378 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1379 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1380 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1381 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1382 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1383 - Incident Response Plan | Microsoft implements this Incident Response control | audit | 1.0.0 |
Information Spillage Response
ID: NIST SP 800-53 Rev. 5 IR-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1384 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1385 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1386 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1387 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1388 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1389 - Information Spillage Response | Microsoft implements this Incident Response control | audit | 1.0.0 |
| Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel | Microsoft implements this Incident Response control | audit | 1.0.0 |
Training
ID: NIST SP 800-53 Rev. 5 IR-9 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1391 - Information Spillage Response | Training | Microsoft implements this Incident Response control | audit | 1.0.0 |
Post-spill Operations
ID: NIST SP 800-53 Rev. 5 IR-9 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations | Microsoft implements this Incident Response control | audit | 1.0.0 |
Exposure to Unauthorized Personnel
ID: NIST SP 800-53 Rev. 5 IR-9 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel | Microsoft implements this Incident Response control | audit | 1.0.0 |
Maintenance
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 MA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1394 - System Maintenance Policy And Procedures | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1395 - System Maintenance Policy And Procedures | Microsoft implements this Maintenance control | audit | 1.0.0 |
Controlled Maintenance
ID: NIST SP 800-53 Rev. 5 MA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1396 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1397 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1398 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1399 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1400 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1401 - Controlled Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
Automated Maintenance Activities
ID: NIST SP 800-53 Rev. 5 MA-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities | Microsoft implements this Maintenance control | audit | 1.0.0 |
Maintenance Tools
ID: NIST SP 800-53 Rev. 5 MA-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1404 - Maintenance Tools | Microsoft implements this Maintenance control | audit | 1.0.0 |
Inspect Tools
ID: NIST SP 800-53 Rev. 5 MA-3 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools | Microsoft implements this Maintenance control | audit | 1.0.0 |
Inspect Media
ID: NIST SP 800-53 Rev. 5 MA-3 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media | Microsoft implements this Maintenance control | audit | 1.0.0 |
Prevent Unauthorized Removal
ID: NIST SP 800-53 Rev. 5 MA-3 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal | Microsoft implements this Maintenance control | audit | 1.0.0 |
Nonlocal Maintenance
ID: NIST SP 800-53 Rev. 5 MA-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1411 - Remote Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1412 - Remote Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1413 - Remote Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1414 - Remote Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1415 - Remote Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
Comparable Security and Sanitization
ID: NIST SP 800-53 Rev. 5 MA-4 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1417 - Remote Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1418 - Remote Maintenance | Comparable Security / Sanitization | Microsoft implements this Maintenance control | audit | 1.0.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 5 MA-4 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1419 - Remote Maintenance | Cryptographic Protection | Microsoft implements this Maintenance control | audit | 1.0.0 |
Maintenance Personnel
ID: NIST SP 800-53 Rev. 5 MA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1420 - Maintenance Personnel | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1421 - Maintenance Personnel | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1422 - Maintenance Personnel | Microsoft implements this Maintenance control | audit | 1.0.0 |
Individuals Without Appropriate Access
ID: NIST SP 800-53 Rev. 5 MA-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access | Microsoft implements this Maintenance control | audit | 1.0.0 |
| Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access | Microsoft implements this Maintenance control | audit | 1.0.0 |
Timely Maintenance
ID: NIST SP 800-53 Rev. 5 MA-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1425 - Timely Maintenance | Microsoft implements this Maintenance control | audit | 1.0.0 |
Media Protection
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 MP-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1426 - Media Protection Policy And Procedures | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1427 - Media Protection Policy And Procedures | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Access
ID: NIST SP 800-53 Rev. 5 MP-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1428 - Media Access | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Marking
ID: NIST SP 800-53 Rev. 5 MP-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1429 - Media Labeling | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1430 - Media Labeling | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Storage
ID: NIST SP 800-53 Rev. 5 MP-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1431 - Media Storage | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1432 - Media Storage | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Transport
ID: NIST SP 800-53 Rev. 5 MP-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1433 - Media Transport | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1434 - Media Transport | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1435 - Media Transport | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1436 - Media Transport | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Sanitization
ID: NIST SP 800-53 Rev. 5 MP-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1438 - Media Sanitization And Disposal | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1439 - Media Sanitization And Disposal | Microsoft implements this Media Protection control | audit | 1.0.0 |
Review, Approve, Track, Document, and Verify
ID: NIST SP 800-53 Rev. 5 MP-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1440 - Media Sanitization And Disposal | Review / Approve / Track / Document / Verify | Microsoft implements this Media Protection control | audit | 1.0.0 |
Equipment Testing
ID: NIST SP 800-53 Rev. 5 MP-6 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1441 - Media Sanitization And Disposal | Equipment Testing | Microsoft implements this Media Protection control | audit | 1.0.0 |
Nondestructive Techniques
ID: NIST SP 800-53 Rev. 5 MP-6 (3) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1442 - Media Sanitization And Disposal | Nondestructive Techniques | Microsoft implements this Media Protection control | audit | 1.0.0 |
Media Use
ID: NIST SP 800-53 Rev. 5 MP-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1443 - Media Use | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner | Microsoft implements this Media Protection control | audit | 1.0.0 |
Physical and Environmental Protection
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 PE-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Physical Access Authorizations
ID: NIST SP 800-53 Rev. 5 PE-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1447 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1448 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1449 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1450 - Physical Access Authorizations | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Physical Access Control
ID: NIST SP 800-53 Rev. 5 PE-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1451 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1452 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1453 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1454 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1455 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1456 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1457 - Physical Access Control | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
System Access
ID: NIST SP 800-53 Rev. 5 PE-3 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1458 - Physical Access Control | Information System Access | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Access Control for Transmission
ID: NIST SP 800-53 Rev. 5 PE-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1459 - Access Control For Transmission Medium | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Access Control for Output Devices
ID: NIST SP 800-53 Rev. 5 PE-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1460 - Access Control For Output Devices | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Monitoring Physical Access
ID: NIST SP 800-53 Rev. 5 PE-6 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1461 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1462 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1463 - Monitoring Physical Access | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Intrusion Alarms and Surveillance Equipment
ID: NIST SP 800-53 Rev. 5 PE-6 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Monitoring Physical Access to Systems
ID: NIST SP 800-53 Rev. 5 PE-6 (4) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Visitor Access Records
ID: NIST SP 800-53 Rev. 5 PE-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1466 - Visitor Access Records | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1467 - Visitor Access Records | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Automated Records Maintenance and Review
ID: NIST SP 800-53 Rev. 5 PE-8 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Power Equipment and Cabling
ID: NIST SP 800-53 Rev. 5 PE-9 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1469 - Power Equipment And Cabling | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Emergency Shutoff
ID: NIST SP 800-53 Rev. 5 PE-10 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1470 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1471 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1472 - Emergency Shutoff | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Emergency Power
ID: NIST SP 800-53 Rev. 5 PE-11 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1473 - Emergency Power | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Alternate Power Supply ??? Minimal Operational Capability
ID: NIST SP 800-53 Rev. 5 PE-11 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Emergency Lighting
ID: NIST SP 800-53 Rev. 5 PE-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1475 - Emergency Lighting | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Fire Protection
ID: NIST SP 800-53 Rev. 5 PE-13 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1476 - Fire Protection | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Detection Systems ??? Automatic Activation and Notification
ID: NIST SP 800-53 Rev. 5 PE-13 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Suppression Systems ??? Automatic Activation and Notification
ID: NIST SP 800-53 Rev. 5 PE-13 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Environmental Controls
ID: NIST SP 800-53 Rev. 5 PE-14 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1480 - Temperature And Humidity Controls | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1481 - Temperature And Humidity Controls | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Monitoring with Alarms and Notifications
ID: NIST SP 800-53 Rev. 5 PE-14 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Water Damage Protection
ID: NIST SP 800-53 Rev. 5 PE-15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1483 - Water Damage Protection | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Automation Support
ID: NIST SP 800-53 Rev. 5 PE-15 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1484 - Water Damage Protection | Automation Support | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Delivery and Removal
ID: NIST SP 800-53 Rev. 5 PE-16 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1485 - Delivery And Removal | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Alternate Work Site
ID: NIST SP 800-53 Rev. 5 PE-17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1486 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1487 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1488 - Alternate Work Site | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Location of System Components
ID: NIST SP 800-53 Rev. 5 PE-18 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1489 - Location Of Information System Components | Microsoft implements this Physical and Environmental Protection control | audit | 1.0.0 |
Planning
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 PL-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1490 - Security Planning Policy And Procedures | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1491 - Security Planning Policy And Procedures | Microsoft implements this Planning control | audit | 1.0.0 |
System Security and Privacy Plans
ID: NIST SP 800-53 Rev. 5 PL-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1492 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1493 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1494 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1495 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1496 - System Security Plan | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities | Microsoft implements this Planning control | audit | 1.0.0 |
Rules of Behavior
ID: NIST SP 800-53 Rev. 5 PL-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1498 - Rules Of Behavior | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1499 - Rules Of Behavior | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1500 - Rules Of Behavior | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1501 - Rules Of Behavior | Microsoft implements this Planning control | audit | 1.0.0 |
Social Media and External Site/application Usage Restrictions
ID: NIST SP 800-53 Rev. 5 PL-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions | Microsoft implements this Planning control | audit | 1.0.0 |
Security and Privacy Architectures
ID: NIST SP 800-53 Rev. 5 PL-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1503 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1504 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
| Microsoft Managed Control 1505 - Information Security Architecture | Microsoft implements this Planning control | audit | 1.0.0 |
Personnel Security
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 PS-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1506 - Personnel Security Policy And Procedures | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1507 - Personnel Security Policy And Procedures | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Position Risk Designation
ID: NIST SP 800-53 Rev. 5 PS-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1508 - Position Categorization | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1509 - Position Categorization | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1510 - Position Categorization | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Personnel Screening
ID: NIST SP 800-53 Rev. 5 PS-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1511 - Personnel Screening | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1512 - Personnel Screening | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Information Requiring Special Protective Measures
ID: NIST SP 800-53 Rev. 5 PS-3 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Personnel Termination
ID: NIST SP 800-53 Rev. 5 PS-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1515 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1516 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1517 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1518 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1519 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1520 - Personnel Termination | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Automated Actions
ID: NIST SP 800-53 Rev. 5 PS-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1521 - Personnel Termination | Automated Notification | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Personnel Transfer
ID: NIST SP 800-53 Rev. 5 PS-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1522 - Personnel Transfer | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1523 - Personnel Transfer | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1524 - Personnel Transfer | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1525 - Personnel Transfer | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Access Agreements
ID: NIST SP 800-53 Rev. 5 PS-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1526 - Access Agreements | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1527 - Access Agreements | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1528 - Access Agreements | Microsoft implements this Personnel Security control | audit | 1.0.0 |
External Personnel Security
ID: NIST SP 800-53 Rev. 5 PS-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1529 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1530 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1531 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1532 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1533 - Third-Party Personnel Security | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Personnel Sanctions
ID: NIST SP 800-53 Rev. 5 PS-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1534 - Personnel Sanctions | Microsoft implements this Personnel Security control | audit | 1.0.0 |
| Microsoft Managed Control 1535 - Personnel Sanctions | Microsoft implements this Personnel Security control | audit | 1.0.0 |
Risk Assessment
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 RA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Security Categorization
ID: NIST SP 800-53 Rev. 5 RA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1538 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1539 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1540 - Security Categorization | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Risk Assessment
ID: NIST SP 800-53 Rev. 5 RA-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1541 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1542 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1543 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1544 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1545 - Risk Assessment | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Vulnerability Monitoring and Scanning
ID: NIST SP 800-53 Rev. 5 RA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1546 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1547 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1548 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1549 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1550 - Vulnerability Scanning | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| SQL servers on machines should have vulnerability findings resolved | SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. | AuditIfNotExists, Disabled | 1.0.0 |
| Vulnerabilities in container security configurations should be remediated | Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
| Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on SQL Managed Instance | Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 1.0.1 |
| Vulnerability assessment should be enabled on your SQL servers | Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerability assessment should be enabled on your Synapse workspaces | Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. | AuditIfNotExists, Disabled | 1.0.0 |
Update Vulnerabilities to Be Scanned
ID: NIST SP 800-53 Rev. 5 RA-5 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Breadth and Depth of Coverage
ID: NIST SP 800-53 Rev. 5 RA-5 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Discoverable Information
ID: NIST SP 800-53 Rev. 5 RA-5 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Privileged Access
ID: NIST SP 800-53 Rev. 5 RA-5 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Automated Trend Analyses
ID: NIST SP 800-53 Rev. 5 RA-5 (6) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Review Historic Audit Logs
ID: NIST SP 800-53 Rev. 5 RA-5 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
Correlate Scanning Information
ID: NIST SP 800-53 Rev. 5 RA-5 (10) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information | Microsoft implements this Risk Assessment control | audit | 1.0.0 |
System and Services Acquisition
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 SA-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Allocation of Resources
ID: NIST SP 800-53 Rev. 5 SA-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1561 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1562 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1563 - Allocation Of Resources | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
System Development Life Cycle
ID: NIST SP 800-53 Rev. 5 SA-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1564 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1565 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1566 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1567 - System Development Life Cycle | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Acquisition Process
ID: NIST SP 800-53 Rev. 5 SA-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1568 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1569 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1570 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1571 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1572 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1573 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1574 - Acquisitions Process | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Functional Properties of Controls
ID: NIST SP 800-53 Rev. 5 SA-4 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1575 - Acquisitions Process | Functional Properties Of Security Controls | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Design and Implementation Information for Controls
ID: NIST SP 800-53 Rev. 5 SA-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1576 - Acquisitions Process | Design / Implementation Information For Security Controls | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Continuous Monitoring Plan for Controls
ID: NIST SP 800-53 Rev. 5 SA-4 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1577 - Acquisitions Process | Continuous Monitoring Plan | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Functions, Ports, Protocols, and Services in Use
ID: NIST SP 800-53 Rev. 5 SA-4 (9) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1578 - Acquisitions Process | Functions / Ports / Protocols / Services In Use | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Use of Approved PIV Products
ID: NIST SP 800-53 Rev. 5 SA-4 (10) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1579 - Acquisitions Process | Use Of Approved Piv Products | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
System Documentation
ID: NIST SP 800-53 Rev. 5 SA-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1580 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1581 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1582 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1583 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1584 - Information System Documentation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Security and Privacy Engineering Principles
ID: NIST SP 800-53 Rev. 5 SA-8 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1585 - Security Engineering Principles | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
External System Services
ID: NIST SP 800-53 Rev. 5 SA-9 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1586 - External Information System Services | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1587 - External Information System Services | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1588 - External Information System Services | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Risk Assessments and Organizational Approvals
ID: NIST SP 800-53 Rev. 5 SA-9 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Identification of Functions, Ports, Protocols, and Services
ID: NIST SP 800-53 Rev. 5 SA-9 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1591 - External Information System Services | Identification Of Functions / Ports / Protocols... | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Consistent Interests of Consumers and Providers
ID: NIST SP 800-53 Rev. 5 SA-9 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Processing, Storage, and Service Location
ID: NIST SP 800-53 Rev. 5 SA-9 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Developer Configuration Management
ID: NIST SP 800-53 Rev. 5 SA-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1594 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1595 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1596 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1597 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1598 - Developer Configuration Management | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Software and Firmware Integrity Verification
ID: NIST SP 800-53 Rev. 5 SA-10 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Developer Testing and Evaluation
ID: NIST SP 800-53 Rev. 5 SA-11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1600 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1601 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1602 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1603 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1604 - Developer Security Testing And Evaluation | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Static Code Analysis
ID: NIST SP 800-53 Rev. 5 SA-11 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Threat Modeling and Vulnerability Analyses
ID: NIST SP 800-53 Rev. 5 SA-11 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Dynamic Code Analysis
ID: NIST SP 800-53 Rev. 5 SA-11 (8) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Development Process, Standards, and Tools
ID: NIST SP 800-53 Rev. 5 SA-15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1609 - Development Process, Standards, And Tools | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1610 - Development Process, Standards, And Tools | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Developer-provided Training
ID: NIST SP 800-53 Rev. 5 SA-16 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1611 - Developer-Provided Training | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
Developer Security and Privacy Architecture and Design
ID: NIST SP 800-53 Rev. 5 SA-17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1612 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1613 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
| Microsoft Managed Control 1614 - Developer Security Architecture And Design | Microsoft implements this System and Services Acquisition control | audit | 1.0.0 |
System and Communications Protection
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 SC-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Separation of System and User Functionality
ID: NIST SP 800-53 Rev. 5 SC-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1617 - Application Partitioning | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Security Function Isolation
ID: NIST SP 800-53 Rev. 5 SC-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1618 - Security Function Isolation | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 1.1.1 |
Information in Shared System Resources
ID: NIST SP 800-53 Rev. 5 SC-4 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1619 - Information In Shared Resources | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Denial-of-service Protection
ID: NIST SP 800-53 Rev. 5 SC-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | AuditIfNotExists, Disabled | 3.0.1 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1620 - Denial Of Service Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
Resource Availability
ID: NIST SP 800-53 Rev. 5 SC-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1621 - Resource Availability | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Boundary Protection
ID: NIST SP 800-53 Rev. 5 SC-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled | 1.0.2 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.0 |
| Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Audit, Deny, Disabled | 3.2.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Audit, Deny, Disabled | 1.4.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1622 - Boundary Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1623 - Boundary Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1624 - Boundary Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
Access Points
ID: NIST SP 800-53 Rev. 5 SC-7 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 |
| API Management services should use a virtual network | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled | 1.0.2 |
| App Configuration should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. | AuditIfNotExists, Disabled | 1.0.2 |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.0 |
| Azure AI Services resources should restrict network access | By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. | Audit, Deny, Disabled | 3.2.0 |
| Azure Cache for Redis should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Cognitive Search service should use a SKU that supports private link | With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should disable public network access | Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Deny, Disabled | 1.0.0 |
| Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Audit, Disabled | 1.0.0 |
| Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Audit, Deny, Disabled | 2.0.0 |
| Azure Data Factory should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Event Grid domains should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure Event Grid topics should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. | Audit, Disabled | 1.0.2 |
| Azure File Sync should use private link | Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Key Vault should have firewall enabled | Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security | Audit, Deny, Disabled | 1.4.1 |
| Azure Machine Learning workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. | Audit, Disabled | 1.0.0 |
| Azure Service Bus namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure SignalR Service should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. | Audit, Disabled | 1.0.0 |
| Azure Synapse workspaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. | Audit, Disabled | 1.0.1 |
| Azure Web Application Firewall should be enabled for Azure Front Door entry-points | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 1.0.2 |
| Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Audit, Disabled | 3.0.0 |
| Container registries should not allow unrestricted network access | Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. | Audit, Deny, Disabled | 2.0.0 |
| Container registries should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. | Audit, Disabled | 1.0.1 |
| CosmosDB accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. | Audit, Disabled | 1.0.0 |
| Disk access resources should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. | AuditIfNotExists, Disabled | 1.0.0 |
| Event Hub namespaces should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. | AuditIfNotExists, Disabled | 1.0.0 |
| Internet-facing virtual machines should be protected with network security groups | Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| IoT Hub device provisioning service instances should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. | Audit, Disabled | 1.0.0 |
| IP Forwarding on your virtual machine should be disabled | Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Management ports should be closed on your virtual machines | Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1625 - Boundary Protection | Access Points | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Non-internet-facing virtual machines should be protected with network security groups | Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc | AuditIfNotExists, Disabled | 3.0.0 |
| Private endpoint connections on Azure SQL Database should be enabled | Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. | Audit, Disabled | 1.1.0 |
| Public network access on Azure SQL Database should be disabled | Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 |
| Storage accounts should restrict network access using virtual network rules | Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. | Audit, Deny, Disabled | 1.0.1 |
| Storage accounts should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview | AuditIfNotExists, Disabled | 2.0.0 |
| Subnets should be associated with a Network Security Group | Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. | AuditIfNotExists, Disabled | 3.0.0 |
| Web Application Firewall (WAF) should be enabled for Application Gateway | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit, Deny, Disabled | 2.0.0 |
External Telecommunications Services
ID: NIST SP 800-53 Rev. 5 SC-7 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Deny by Default ??? Allow by Exception
ID: NIST SP 800-53 Rev. 5 SC-7 (5) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections | Microsoft implements this Security Assessment and Authorization control | audit | 1.0.0 |
| Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Split Tunneling for Remote Devices
ID: NIST SP 800-53 Rev. 5 SC-7 (7) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Route Traffic to Authenticated Proxy Servers
ID: NIST SP 800-53 Rev. 5 SC-7 (8) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Prevent Exfiltration
ID: NIST SP 800-53 Rev. 5 SC-7 (10) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Host-based Protection
ID: NIST SP 800-53 Rev. 5 SC-7 (12) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Isolation of Security Tools, Mechanisms, and Support Components
ID: NIST SP 800-53 Rev. 5 SC-7 (13) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Fail Secure
ID: NIST SP 800-53 Rev. 5 SC-7 (18) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1637 - Boundary Protection | Fail Secure | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Dynamic Isolation and Segregation
ID: NIST SP 800-53 Rev. 5 SC-7 (20) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Isolation of System Components
ID: NIST SP 800-53 Rev. 5 SC-7 (21) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1639 - Boundary Protection | Isolation Of Information System Components | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Transmission Confidentiality and Integrity
ID: NIST SP 800-53 Rev. 5 SC-8 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. | Audit, Deny, Disabled | 1.0.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 9.1.0 |
| Microsoft Managed Control 1640 - Transmission Confidentiality And Integrity | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 3.0.1 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 5 SC-8 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 |
| App Service apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. | Audit, Deny, Disabled | 1.0.0 |
| Enforce SSL connection should be enabled for MySQL database servers | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.0.0 |
| Function apps should require FTPS only | Enable FTPS enforcement for enhanced security. | AuditIfNotExists, Disabled | 3.0.0 |
| Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | AuditIfNotExists, Disabled | 2.0.1 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 9.1.0 |
| Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 |
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 |
| Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 3.0.1 |
Network Disconnect
ID: NIST SP 800-53 Rev. 5 SC-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1642 - Network Disconnect | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Cryptographic Key Establishment and Management
ID: NIST SP 800-53 Rev. 5 SC-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data | Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. | Audit, Deny, Disabled | 1.0.0-preview |
| [Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) | Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. | Audit, Deny, Disabled | 1.0.0-preview |
| Azure Automation accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. | Audit, Deny, Disabled | 1.0.0 |
| Azure Batch account should use customer-managed keys to encrypt data | Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. | Audit, Deny, Disabled | 1.0.1 |
| Azure Container Instance container group should use customer-managed key for encryption | Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled, Deny | 1.0.0 |
| Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password | Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. | Audit, Deny, Disabled | 1.0.0 |
| Azure Data Explorer encryption at rest should use a customer-managed key | Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. | Audit, Deny, Disabled | 1.0.0 |
| Azure data factories should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. | Audit, Deny, Disabled | 1.0.1 |
| Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. | Audit, Deny, Disabled | 1.0.1 |
| Azure HDInsight clusters should use encryption at host to encrypt data at rest | Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. | Audit, Deny, Disabled | 1.0.0 |
| Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Audit, Deny, Disabled | 1.0.3 |
| Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Stream Analytics jobs should use customer-managed keys to encrypt data | Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Synapse workspaces should use customer-managed keys to encrypt data at rest | Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. | Audit, Deny, Disabled | 1.0.0 |
| Bot Service should be encrypted with a customer-managed key | Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
| Cognitive Services accounts should enable data encryption with a customer-managed key | Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. | Audit, Deny, Disabled | 2.1.0 |
| Container registries should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. | Audit, Deny, Disabled | 1.1.2 |
| Event Hub namespaces should use a customer-managed key for encryption | Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. | Audit, Disabled | 1.0.0 |
| Logic Apps Integration Service Environment should be encrypted with customer-managed keys | Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Audit, Deny, Disabled | 1.0.0 |
| Managed disks should be double encrypted with both platform-managed and customer-managed keys | High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. | Audit, Deny, Disabled | 1.0.0 |
| Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| OS and data disks should be encrypted with a customer-managed key | Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. | Audit, Deny, Disabled | 3.0.0 |
| Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Service Bus Premium namespaces should use a customer-managed key for encryption | Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. | Audit, Disabled | 1.0.0 |
| SQL managed instances should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.0 |
| SQL servers should use customer-managed keys to encrypt data at rest | Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. | Audit, Deny, Disabled | 2.0.1 |
| Storage account encryption scopes should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. | Audit, Deny, Disabled | 1.0.0 |
| Storage accounts should use customer-managed key for encryption | Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. | Audit, Disabled | 1.0.3 |
Availability
ID: NIST SP 800-53 Rev. 5 SC-12 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1644 - Cryptographic Key Establishment And Management | Availability | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Symmetric Keys
ID: NIST SP 800-53 Rev. 5 SC-12 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric Keys | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Asymmetric Keys
ID: NIST SP 800-53 Rev. 5 SC-12 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric Keys | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 5 SC-13 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1647 - Use of Cryptography | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Collaborative Computing Devices and Applications
ID: NIST SP 800-53 Rev. 5 SC-15 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1648 - Collaborative Computing Devices | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1649 - Collaborative Computing Devices | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Public Key Infrastructure Certificates
ID: NIST SP 800-53 Rev. 5 SC-17 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1650 - Public Key Infrastructure Certificates | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Mobile Code
ID: NIST SP 800-53 Rev. 5 SC-18 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1651 - Mobile Code | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1652 - Mobile Code | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1653 - Mobile Code | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Secure Name/address Resolution Service (authoritative Source)
ID: NIST SP 800-53 Rev. 5 SC-20 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source) | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source) | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Secure Name/address Resolution Service (recursive or Caching Resolver)
ID: NIST SP 800-53 Rev. 5 SC-21 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Architecture and Provisioning for Name/address Resolution Service
ID: NIST SP 800-53 Rev. 5 SC-22 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution Service | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Session Authenticity
ID: NIST SP 800-53 Rev. 5 SC-23 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1660 - Session Authenticity | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Invalidate Session Identifiers at Logout
ID: NIST SP 800-53 Rev. 5 SC-23 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers At Logout | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Fail in Known State
ID: NIST SP 800-53 Rev. 5 SC-24 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1662 - Fail In Known State | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
Protection of Information at Rest
ID: NIST SP 800-53 Rev. 5 SC-28 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Audit, Disabled | 1.0.1 |
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Audit, Deny, Disabled | 1.0.0 |
| Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Audit, Deny, Disabled | 2.0.0 |
| Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Audit, Deny, Disabled | 2.0.0 |
| Microsoft Managed Control 1663 - Protection Of Information At Rest | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should have infrastructure encryption | Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. | Audit, Deny, Disabled | 1.0.0 |
| Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Audit, Deny, Disabled | 1.0.0 |
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
Cryptographic Protection
ID: NIST SP 800-53 Rev. 5 SC-28 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service Environment should have internal encryption enabled | Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. | Audit, Disabled | 1.0.1 |
| Automation account variables should be encrypted | It is important to enable encryption of Automation account variable assets when storing sensitive data | Audit, Deny, Disabled | 1.1.0 |
| Azure Data Box jobs should enable double encryption for data at rest on the device | Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. | Audit, Deny, Disabled | 1.0.0 |
| Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Stack Edge devices should use double-encryption | To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Disk encryption should be enabled on Azure Data Explorer | Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. | Audit, Deny, Disabled | 2.0.0 |
| Double encryption should be enabled on Azure Data Explorer | Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. | Audit, Deny, Disabled | 2.0.0 |
| Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection | Microsoft implements this Media Protection control | audit | 1.0.0 |
| Microsoft Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
| Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign | Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed | Audit, Deny, Disabled | 1.1.0 |
| Storage accounts should have infrastructure encryption | Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. | Audit, Deny, Disabled | 1.0.0 |
| Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 |
| Virtual machines and virtual machine scale sets should have encryption at host enabled | Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. | Audit, Deny, Disabled | 1.0.0 |
| Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison | AuditIfNotExists, Disabled | 2.0.3 |
Process Isolation
ID: NIST SP 800-53 Rev. 5 SC-39 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1665 - Process Isolation | Microsoft implements this System and Communications Protection control | audit | 1.0.0 |
System and Information Integrity
Policy and Procedures
ID: NIST SP 800-53 Rev. 5 SI-1 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1666 - System And Information Integrity Policy And Procedures | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1667 - System And Information Integrity Policy And Procedures | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Flaw Remediation
ID: NIST SP 800-53 Rev. 5 SI-2 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Audit, Disabled | 1.0.2 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1668 - Flaw Remediation | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1669 - Flaw Remediation | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1670 - Flaw Remediation | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1671 - Flaw Remediation | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 |
| System updates on virtual machine scale sets should be installed | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | AuditIfNotExists, Disabled | 3.0.0 |
| System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 |
| Vulnerabilities in security configuration on your machines should be remediated | Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
| Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. | AuditIfNotExists, Disabled | 3.0.0 |
Automated Flaw Remediation Status
ID: NIST SP 800-53 Rev. 5 SI-2 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Time to Remediate Flaws and Benchmarks for Corrective Actions
ID: NIST SP 800-53 Rev. 5 SI-2 (3) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Removal of Previous Versions of Software and Firmware
ID: NIST SP 800-53 Rev. 5 SI-2 (6) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| App Service apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Function apps should use latest 'HTTP Version' | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. | AuditIfNotExists, Disabled | 4.0.0 |
| Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Audit, Disabled | 1.0.2 |
Malicious Code Protection
ID: NIST SP 800-53 Rev. 5 SI-3 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | AuditIfNotExists, Disabled | 3.0.0 |
| Microsoft Managed Control 1676 - Malicious Code Protection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1677 - Malicious Code Protection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1678 - Malicious Code Protection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1679 - Malicious Code Protection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1681 - Malicious Code Protection | Automatic Updates | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.1.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 1.1.1 |
System Monitoring
ID: NIST SP 800-53 Rev. 5 SI-4 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 4.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| Auto provisioning of the Log Analytics agent should be enabled on your subscription | To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
| Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 |
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 |
| Guest Configuration extension should be installed on your machines | To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. | AuditIfNotExists, Disabled | 1.0.2 |
| Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | AuditIfNotExists, Disabled | 1.0.0 |
| Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
| Microsoft Defender for Storage (Classic) should be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | AuditIfNotExists, Disabled | 1.0.4 |
| Microsoft Managed Control 1683 - Information System Monitoring | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1684 - Information System Monitoring | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1685 - Information System Monitoring | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1686 - Information System Monitoring | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1687 - Information System Monitoring | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1688 - Information System Monitoring | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1689 - Information System Monitoring | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Network Watcher should be enabled | Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. | AuditIfNotExists, Disabled | 3.0.0 |
| Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity | The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol | AuditIfNotExists, Disabled | 1.0.1 |
System-wide Intrusion Detection System
ID: NIST SP 800-53 Rev. 5 SI-4 (1) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1690 - Information System Monitoring | System-Wide Intrusion Detection System | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Automated Tools and Mechanisms for Real-time Analysis
ID: NIST SP 800-53 Rev. 5 SI-4 (2) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1691 - Information System Monitoring | Automated Tools For Real-Time Analysis | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Inbound and Outbound Communications Traffic
ID: NIST SP 800-53 Rev. 5 SI-4 (4) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1692 - Information System Monitoring | Inbound And Outbound Communications Traffic | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
System-generated Alerts
ID: NIST SP 800-53 Rev. 5 SI-4 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1693 - Information System Monitoring | System-Generated Alerts | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Analyze Communications Traffic Anomalies
ID: NIST SP 800-53 Rev. 5 SI-4 (11) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1694 - Information System Monitoring | Analyze Communications Traffic Anomalies | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Automated Organization-generated Alerts
ID: NIST SP 800-53 Rev. 5 SI-4 (12) Ownership: Customer
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
| Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.0.0 |
| Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
Wireless Intrusion Detection
ID: NIST SP 800-53 Rev. 5 SI-4 (14) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1695 - Information System Monitoring | Wireless Intrusion Detection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Correlate Monitoring Information
ID: NIST SP 800-53 Rev. 5 SI-4 (16) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1696 - Information System Monitoring | Correlate Monitoring Information | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Analyze Traffic and Covert Exfiltration
ID: NIST SP 800-53 Rev. 5 SI-4 (18) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert Exfiltration | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Risk for Individuals
ID: NIST SP 800-53 Rev. 5 SI-4 (19) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1698 - Information System Monitoring | Individuals Posing Greater Risk | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Privileged Users
ID: NIST SP 800-53 Rev. 5 SI-4 (20) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1699 - Information System Monitoring | Privileged Users | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Unauthorized Network Services
ID: NIST SP 800-53 Rev. 5 SI-4 (22) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1700 - Information System Monitoring | Unauthorized Network Services | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Host-based Devices
ID: NIST SP 800-53 Rev. 5 SI-4 (23) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1701 - Information System Monitoring | Host-Based Devices | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Indicators of Compromise
ID: NIST SP 800-53 Rev. 5 SI-4 (24) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1702 - Information System Monitoring | Indicators Of Compromise | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Security Alerts, Advisories, and Directives
ID: NIST SP 800-53 Rev. 5 SI-5 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1703 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1704 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1705 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1706 - Security Alerts & Advisories | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Automated Alerts and Advisories
ID: NIST SP 800-53 Rev. 5 SI-5 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1707 - Security Alerts & Advisories | Automated Alerts And Advisories | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Security and Privacy Function Verification
ID: NIST SP 800-53 Rev. 5 SI-6 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1708 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1709 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1710 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1711 - Security Functionality Verification | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Software, Firmware, and Information Integrity
ID: NIST SP 800-53 Rev. 5 SI-7 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1712 - Software & Information Integrity | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Integrity Checks
ID: NIST SP 800-53 Rev. 5 SI-7 (1) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Automated Notifications of Integrity Violations
ID: NIST SP 800-53 Rev. 5 SI-7 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Automated Response to Integrity Violations
ID: NIST SP 800-53 Rev. 5 SI-7 (5) Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Integration of Detection and Response
ID: NIST SP 800-53 Rev. 5 SI-7 (7) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Spam Protection
ID: NIST SP 800-53 Rev. 5 SI-8 Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1719 - Spam Protection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1720 - Spam Protection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Automatic Updates
ID: NIST SP 800-53 Rev. 5 SI-8 (2) Ownership: Microsoft
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1722 - Spam Protection | Automatic Updates | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Information Input Validation
ID: NIST SP 800-53 Rev. 5 SI-10 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1723 - Information Input Validation | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Error Handling
ID: NIST SP 800-53 Rev. 5 SI-11 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1724 - Error Handling | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Microsoft Managed Control 1725 - Error Handling | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Information Management and Retention
ID: NIST SP 800-53 Rev. 5 SI-12 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Microsoft Managed Control 1726 - Information Output Handling And Retention | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
Memory Protection
ID: NIST SP 800-53 Rev. 5 SI-16 Ownership: Shared
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
| Microsoft Managed Control 1727 - Memory Protection | Microsoft implements this System and Information Integrity control | audit | 1.0.0 |
| Windows Defender Exploit Guard should be enabled on your machines | Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). | AuditIfNotExists, Disabled | 1.1.1 |
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for