Details of the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the NIST SP 800-53 Rev. 4 controls. Use the navigation on the right to jump directly to a specific compliance domain. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the NIST SP 800-53 Rev. 4 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Access Control

Access Control Policy and Procedures

ID: NIST SP 800-53 Rev. 4 AC-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1000 - Access Control Policy And Procedures Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1001 - Access Control Policy And Procedures Microsoft implements this Access Control control audit 1.0.0

Account Management

ID: NIST SP 800-53 Rev. 4 AC-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 3.0.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 3.0.0
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1002 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1003 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1004 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1005 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1006 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1007 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1008 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1009 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1010 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1011 - Account Management Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1012 - Account Management Microsoft implements this Access Control control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Automated System Account Management

ID: NIST SP 800-53 Rev. 4 AC-2 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Microsoft Managed Control 1013 - Account Management | Automated System Account Management Microsoft implements this Access Control control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0

Removal of Temporary / Emergency Accounts

ID: NIST SP 800-53 Rev. 4 AC-2 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1014 - Account Management | Removal Of Temporary / Emergency Accounts Microsoft implements this Access Control control audit 1.0.0

Disable Inactive Accounts

ID: NIST SP 800-53 Rev. 4 AC-2 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1015 - Account Management | Disable Inactive Accounts Microsoft implements this Access Control control audit 1.0.0

Automated Audit Actions

ID: NIST SP 800-53 Rev. 4 AC-2 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1016 - Account Management | Automated Audit Actions Microsoft implements this Access Control control audit 1.0.0

Inactivity Logout

ID: NIST SP 800-53 Rev. 4 AC-2 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1017 - Account Management | Inactivity Logout Microsoft implements this Access Control control audit 1.0.0

Role-based Schemes

ID: NIST SP 800-53 Rev. 4 AC-2 (7)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Microsoft Managed Control 1018 - Account Management | Role-Based Schemes Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1019 - Account Management | Role-Based Schemes Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1020 - Account Management | Role-Based Schemes Microsoft implements this Access Control control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Service principals should be used to protect your subscriptions instead of management certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists, Disabled 1.0.0

Restrictions On Use of Shared / Group Accounts

ID: NIST SP 800-53 Rev. 4 AC-2 (9)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1021 - Account Management | Restrictions On Use Of Shared / Group Accounts Microsoft implements this Access Control control audit 1.0.0

Shared / Group Account Credential Termination

ID: NIST SP 800-53 Rev. 4 AC-2 (10)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1022 - Account Management | Shared / Group Account Credential Termination Microsoft implements this Access Control control audit 1.0.0

Usage Conditions

ID: NIST SP 800-53 Rev. 4 AC-2 (11)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1023 - Account Management | Usage Conditions Microsoft implements this Access Control control audit 1.0.0

Account Monitoring / Atypical Usage

ID: NIST SP 800-53 Rev. 4 AC-2 (12)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. AuditIfNotExists, Disabled 3.0.0-preview
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1024 - Account Management | Account Monitoring / Atypical Usage Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1025 - Account Management | Account Monitoring / Atypical Usage Microsoft implements this Access Control control audit 1.0.0

Disable Accounts for High-risk Individuals

ID: NIST SP 800-53 Rev. 4 AC-2 (13)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1026 - Account Management | Disable Accounts For High-Risk Individuals Microsoft implements this Access Control control audit 1.0.0

Access Enforcement

ID: NIST SP 800-53 Rev. 4 AC-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 1.0.0
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. AuditIfNotExists, Disabled 2.0.1
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1027 - Access Enforcement Microsoft implements this Access Control control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Role-based Access Control

ID: NIST SP 800-53 Rev. 4 AC-3 (7)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit, Disabled 1.0.2

Information Flow Enforcement

ID: NIST SP 800-53 Rev. 4 AC-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Disabled 1.0.1
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.1
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Audit, Deny, Disabled 2.0.0-preview
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Deny, Disabled 1.0.1
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Deny, Disabled 1.0.0
Cognitive Services accounts should disable public network access Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Deny, Disabled 2.0.0
Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit, Deny, Disabled 2.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 2.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Audit, Deny, Disabled 1.1.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. AuditIfNotExists, Disabled 1.0.0
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1028 - Information Flow Enforcement Microsoft implements this Access Control control audit 1.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be configured for Key Vault Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Audit, Deny, Disabled 1.1.0-preview
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. disabled 3.0.1-preview
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Dynamic Information Flow Control

ID: NIST SP 800-53 Rev. 4 AC-4 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0

Security Policy Filters

ID: NIST SP 800-53 Rev. 4 AC-4 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1029 - Information Flow Enforcement | Security Policy Filters Microsoft implements this Access Control control audit 1.0.0

Physical / Logical Separation of Information Flows

ID: NIST SP 800-53 Rev. 4 AC-4 (21)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation Of Information Flows Microsoft implements this Access Control control audit 1.0.0

Separation of Duties

ID: NIST SP 800-53 Rev. 4 AC-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1031 - Separation Of Duties Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1032 - Separation Of Duties Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1033 - Separation Of Duties Microsoft implements this Access Control control audit 1.0.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Least Privilege

ID: NIST SP 800-53 Rev. 4 AC-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Microsoft Managed Control 1034 - Least Privilege Microsoft implements this Access Control control audit 1.0.0

Authorize Access to Security Functions

ID: NIST SP 800-53 Rev. 4 AC-6 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1035 - Least Privilege | Authorize Access To Security Functions Microsoft implements this Access Control control audit 1.0.0

Non-privileged Access for Nonsecurity Functions

ID: NIST SP 800-53 Rev. 4 AC-6 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity Functions Microsoft implements this Access Control control audit 1.0.0

Network Access to Privileged Commands

ID: NIST SP 800-53 Rev. 4 AC-6 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1037 - Least Privilege | Network Access To Privileged Commands Microsoft implements this Access Control control audit 1.0.0

Privileged Accounts

ID: NIST SP 800-53 Rev. 4 AC-6 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1038 - Least Privilege | Privileged Accounts Microsoft implements this Access Control control audit 1.0.0

Review of User Privileges

ID: NIST SP 800-53 Rev. 4 AC-6 (7)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Audit usage of custom RBAC rules Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.0
Microsoft Managed Control 1039 - Least Privilege | Review Of User Privileges Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1040 - Least Privilege | Review Of User Privileges Microsoft implements this Access Control control audit 1.0.0

Privilege Levels for Code Execution

ID: NIST SP 800-53 Rev. 4 AC-6 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution Microsoft implements this Access Control control audit 1.0.0

Auditing Use of Privileged Functions

ID: NIST SP 800-53 Rev. 4 AC-6 (9)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions Microsoft implements this Access Control control audit 1.0.0

Prohibit Non-privileged Users from Executing Privileged Functions

ID: NIST SP 800-53 Rev. 4 AC-6 (10)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions Microsoft implements this Access Control control audit 1.0.0

Unsuccessful Logon Attempts

ID: NIST SP 800-53 Rev. 4 AC-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1044 - Unsuccessful Logon Attempts Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1045 - Unsuccessful Logon Attempts Microsoft implements this Access Control control audit 1.0.0

Purge / Wipe Mobile Device

ID: NIST SP 800-53 Rev. 4 AC-7 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device Microsoft implements this Access Control control audit 1.0.0

System Use Notification

ID: NIST SP 800-53 Rev. 4 AC-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1047 - System Use Notification Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1048 - System Use Notification Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1049 - System Use Notification Microsoft implements this Access Control control audit 1.0.0

Concurrent Session Control

ID: NIST SP 800-53 Rev. 4 AC-10

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1050 - Concurrent Session Control Microsoft implements this Access Control control audit 1.0.0

Session Lock

ID: NIST SP 800-53 Rev. 4 AC-11

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1051 - Session Lock Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1052 - Session Lock Microsoft implements this Access Control control audit 1.0.0

Pattern-hiding Displays

ID: NIST SP 800-53 Rev. 4 AC-11 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1053 - Session Lock | Pattern-Hiding Displays Microsoft implements this Access Control control audit 1.0.0

Session Termination

ID: NIST SP 800-53 Rev. 4 AC-12

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1054 - Session Termination Microsoft implements this Access Control control audit 1.0.0

User-initiated Logouts / Message Displays

ID: NIST SP 800-53 Rev. 4 AC-12 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1055 - Session Termination| User-Initiated Logouts / Message Displays Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1056 - Session Termination | User-Initiated Logouts / Message Displays Microsoft implements this Access Control control audit 1.0.0

Permitted Actions Without Identification or Authentication

ID: NIST SP 800-53 Rev. 4 AC-14

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1057 - Permitted Actions Without Identification Or Authentication Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1058 - Permitted Actions Without Identification Or Authentication Microsoft implements this Access Control control audit 1.0.0

Security Attributes

ID: NIST SP 800-53 Rev. 4 AC-16

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2

Remote Access

ID: NIST SP 800-53 Rev. 4 AC-17

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 1.0.0
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should reside within a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Audit, Deny, Disabled 1.0.3
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Deny, Disabled 1.0.1
Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Audit, Disabled, Deny 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Deny, Disabled 1.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 2.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
Microsoft Managed Control 1059 - Remote Access Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1060 - Remote Access Microsoft implements this Access Control control audit 1.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be configured for Key Vault Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Audit, Deny, Disabled 1.1.0-preview
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Automated Monitoring / Control

ID: NIST SP 800-53 Rev. 4 AC-17 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 1.0.0
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should reside within a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Audit, Deny, Disabled 1.0.3
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Deny, Disabled 1.0.1
Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Audit, Disabled, Deny 1.0.0
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Deny, Disabled 1.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 2.0.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
Microsoft Managed Control 1061 - Remote Access | Automated Monitoring / Control Microsoft implements this Access Control control audit 1.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be configured for Key Vault Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Audit, Deny, Disabled 1.1.0-preview
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Protection of Confidentiality / Integrity Using Encryption

ID: NIST SP 800-53 Rev. 4 AC-17 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity Using Encryption Microsoft implements this Access Control control audit 1.0.0

Managed Access Control Points

ID: NIST SP 800-53 Rev. 4 AC-17 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1063 - Remote Access | Managed Access Control Points Microsoft implements this Access Control control audit 1.0.0

Privileged Commands / Access

ID: NIST SP 800-53 Rev. 4 AC-17 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1064 - Remote Access | Privileged Commands / Access Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1065 - Remote Access | Privileged Commands / Access Microsoft implements this Access Control control audit 1.0.0

Disconnect / Disable Access

ID: NIST SP 800-53 Rev. 4 AC-17 (9)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1066 - Remote Access | Disconnect / Disable Access Microsoft implements this Access Control control audit 1.0.0

Wireless Access

ID: NIST SP 800-53 Rev. 4 AC-18

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1067 - Wireless Access Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1068 - Wireless Access Microsoft implements this Access Control control audit 1.0.0

Authentication and Encryption

ID: NIST SP 800-53 Rev. 4 AC-18 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1069 - Wireless Access | Authentication And Encryption Microsoft implements this Access Control control audit 1.0.0

Disable Wireless Networking

ID: NIST SP 800-53 Rev. 4 AC-18 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1070 - Wireless Access | Disable Wireless Networking Microsoft implements this Access Control control audit 1.0.0

Restrict Configurations by Users

ID: NIST SP 800-53 Rev. 4 AC-18 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1071 - Wireless Access | Restrict Configurations By Users Microsoft implements this Access Control control audit 1.0.0

Antennas / Transmission Power Levels

ID: NIST SP 800-53 Rev. 4 AC-18 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels Microsoft implements this Access Control control audit 1.0.0

Access Control for Mobile Devices

ID: NIST SP 800-53 Rev. 4 AC-19

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1073 - Access Control For Mobile Devices Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1074 - Access Control For Mobile Devices Microsoft implements this Access Control control audit 1.0.0

Full Device / Container-based Encryption

ID: NIST SP 800-53 Rev. 4 AC-19 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based Encryption Microsoft implements this Access Control control audit 1.0.0

Use of External Information Systems

ID: NIST SP 800-53 Rev. 4 AC-20

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1076 - Use Of External Information Systems Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1077 - Use Of External Information Systems Microsoft implements this Access Control control audit 1.0.0

Limits On Authorized Use

ID: NIST SP 800-53 Rev. 4 AC-20 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1078 - Use Of External Information Systems | Limits On Authorized Use Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1079 - Use Of External Information Systems | Limits On Authorized Use Microsoft implements this Access Control control audit 1.0.0

Portable Storage Devices

ID: NIST SP 800-53 Rev. 4 AC-20 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1080 - Use Of External Information Systems | Portable Storage Devices Microsoft implements this Access Control control audit 1.0.0

Information Sharing

ID: NIST SP 800-53 Rev. 4 AC-21

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1081 - Information Sharing Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1082 - Information Sharing Microsoft implements this Access Control control audit 1.0.0

Publicly Accessible Content

ID: NIST SP 800-53 Rev. 4 AC-22

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1083 - Publicly Accessible Content Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1084 - Publicly Accessible Content Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1085 - Publicly Accessible Content Microsoft implements this Access Control control audit 1.0.0
Microsoft Managed Control 1086 - Publicly Accessible Content Microsoft implements this Access Control control audit 1.0.0

Awareness and Training

Security Awareness and Training Policy and Procedures

ID: NIST SP 800-53 Rev. 4 AT-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1087 - Security Awareness And Training Policy And Procedures Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1088 - Security Awareness And Training Policy And Procedures Microsoft implements this Awareness and Training control audit 1.0.0

Security Awareness Training

ID: NIST SP 800-53 Rev. 4 AT-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1089 - Security Awareness Training Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1090 - Security Awareness Training Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1091 - Security Awareness Training Microsoft implements this Awareness and Training control audit 1.0.0

Insider Threat

ID: NIST SP 800-53 Rev. 4 AT-2 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1092 - Security Awareness Training | Insider Threat Microsoft implements this Awareness and Training control audit 1.0.0

Role-based Security Training

ID: NIST SP 800-53 Rev. 4 AT-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1093 - Role-Based Security Training Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1094 - Role-Based Security Training Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1095 - Role-Based Security Training Microsoft implements this Awareness and Training control audit 1.0.0

Practical Exercises

ID: NIST SP 800-53 Rev. 4 AT-3 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1096 - Role-Based Security Training | Practical Exercises Microsoft implements this Awareness and Training control audit 1.0.0

Suspicious Communications and Anomalous System Behavior

ID: NIST SP 800-53 Rev. 4 AT-3 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1097 - Role-Based Security Training | Suspicious Communications And Anomalous System Behavior Microsoft implements this Awareness and Training control audit 1.0.0

Security Training Records

ID: NIST SP 800-53 Rev. 4 AT-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1098 - Security Training Records Microsoft implements this Awareness and Training control audit 1.0.0
Microsoft Managed Control 1099 - Security Training Records Microsoft implements this Awareness and Training control audit 1.0.0

Audit and Accountability

Audit and Accountability Policy and Procedures

ID: NIST SP 800-53 Rev. 4 AU-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1100 - Audit And Accountability Policy And Procedures Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1101 - Audit And Accountability Policy And Procedures Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Events

ID: NIST SP 800-53 Rev. 4 AU-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1102 - Audit Events Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1103 - Audit Events Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1104 - Audit Events Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1105 - Audit Events Microsoft implements this Audit and Accountability control audit 1.0.0

Reviews and Updates

ID: NIST SP 800-53 Rev. 4 AU-2 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1106 - Audit Events | Reviews And Updates Microsoft implements this Audit and Accountability control audit 1.0.0

Content of Audit Records

ID: NIST SP 800-53 Rev. 4 AU-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1107 - Content Of Audit Records Microsoft implements this Audit and Accountability control audit 1.0.0

Additional Audit Information

ID: NIST SP 800-53 Rev. 4 AU-3 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1108 - Content Of Audit Records | Additional Audit Information Microsoft implements this Audit and Accountability control audit 1.0.0

Centralized Management of Planned Audit Record Content

ID: NIST SP 800-53 Rev. 4 AU-3 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1109 - Content Of Audit Records | Centralized Management Of Planned Audit Record Content Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Storage Capacity

ID: NIST SP 800-53 Rev. 4 AU-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1110 - Audit Storage Capacity Microsoft implements this Audit and Accountability control audit 1.0.0

Response to Audit Processing Failures

ID: NIST SP 800-53 Rev. 4 AU-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1111 - Response To Audit Processing Failures Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1112 - Response To Audit Processing Failures Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Storage Capacity

ID: NIST SP 800-53 Rev. 4 AU-5 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1113 - Response To Audit Processing Failures | Audit Storage Capacity Microsoft implements this Audit and Accountability control audit 1.0.0

Real-time Alerts

ID: NIST SP 800-53 Rev. 4 AU-5 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Review, Analysis, and Reporting

ID: NIST SP 800-53 Rev. 4 AU-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. AuditIfNotExists, Disabled 3.0.0-preview
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Microsoft Managed Control 1115 - Audit Review, Analysis, And Reporting Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1116 - Audit Review, Analysis, And Reporting Microsoft implements this Audit and Accountability control audit 1.0.0
Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0

Process Integration

ID: NIST SP 800-53 Rev. 4 AU-6 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration Microsoft implements this Audit and Accountability control audit 1.0.0

Correlate Audit Repositories

ID: NIST SP 800-53 Rev. 4 AU-6 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit Repositories Microsoft implements this Audit and Accountability control audit 1.0.0

Central Review and Analysis

ID: NIST SP 800-53 Rev. 4 AU-6 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. AuditIfNotExists, Disabled 3.0.0-preview
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Microsoft Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review And Analysis Microsoft implements this Audit and Accountability control audit 1.0.0
Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.1
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.0.1
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Integration / Scanning and Monitoring Capabilities

ID: NIST SP 800-53 Rev. 4 AU-6 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. AuditIfNotExists, Disabled 3.0.0-preview
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Microsoft Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities Microsoft implements this Audit and Accountability control audit 1.0.0
Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.1
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.0.1
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Correlation with Physical Monitoring

ID: NIST SP 800-53 Rev. 4 AU-6 (6)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring Microsoft implements this Audit and Accountability control audit 1.0.0

Permitted Actions

ID: NIST SP 800-53 Rev. 4 AU-6 (7)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Level Adjustment

ID: NIST SP 800-53 Rev. 4 AU-6 (10)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level Adjustment Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Reduction and Report Generation

ID: NIST SP 800-53 Rev. 4 AU-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1124 - Audit Reduction And Report Generation Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1125 - Audit Reduction And Report Generation Microsoft implements this Audit and Accountability control audit 1.0.0

Automatic Processing

ID: NIST SP 800-53 Rev. 4 AU-7 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing Microsoft implements this Audit and Accountability control audit 1.0.0

Time Stamps

ID: NIST SP 800-53 Rev. 4 AU-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1127 - Time Stamps Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1128 - Time Stamps Microsoft implements this Audit and Accountability control audit 1.0.0

Synchronization with Authoritative Time Source

ID: NIST SP 800-53 Rev. 4 AU-8 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time Source Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time Source Microsoft implements this Audit and Accountability control audit 1.0.0

Protection of Audit Information

ID: NIST SP 800-53 Rev. 4 AU-9

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1131 - Protection Of Audit Information Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Backup On Separate Physical Systems / Components

ID: NIST SP 800-53 Rev. 4 AU-9 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components Microsoft implements this Audit and Accountability control audit 1.0.0

Cryptographic Protection

ID: NIST SP 800-53 Rev. 4 AU-9 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection Microsoft implements this Audit and Accountability control audit 1.0.0

Access by Subset of Privileged Users

ID: NIST SP 800-53 Rev. 4 AU-9 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1134 - Protection Of Audit Information | Access By Subset Of Privileged Users Microsoft implements this Audit and Accountability control audit 1.0.0

Non-repudiation

ID: NIST SP 800-53 Rev. 4 AU-10

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1135 - Non-Repudiation Microsoft implements this Audit and Accountability control audit 1.0.0

Audit Record Retention

ID: NIST SP 800-53 Rev. 4 AU-11

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1136 - Audit Record Retention Microsoft implements this Audit and Accountability control audit 1.0.0
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 3.0.0

Audit Generation

ID: NIST SP 800-53 Rev. 4 AU-12

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. AuditIfNotExists, Disabled 3.0.0-preview
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Microsoft Managed Control 1137 - Audit Generation Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1138 - Audit Generation Microsoft implements this Audit and Accountability control audit 1.0.0
Microsoft Managed Control 1139 - Audit Generation Microsoft implements this Audit and Accountability control audit 1.0.0
Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.1
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.0.1
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

System-wide / Time-correlated Audit Trail

ID: NIST SP 800-53 Rev. 4 AU-12 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. AuditIfNotExists, Disabled 3.0.0-preview
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. AuditIfNotExists, Disabled 1.0.1
Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. AuditIfNotExists, Disabled 1.0.0
Log Analytics agent should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. AuditIfNotExists, Disabled 1.0.0-preview
Microsoft Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit Trail Microsoft implements this Audit and Accountability control audit 1.0.0
Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.1-preview
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 3.0.1
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. AuditIfNotExists, Disabled 2.0.1
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol AuditIfNotExists, Disabled 1.0.1

Changes by Authorized Individuals

ID: NIST SP 800-53 Rev. 4 AU-12 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1141 - Audit Generation | Changes By Authorized Individuals Microsoft implements this Audit and Accountability control audit 1.0.0

Security Assessment and Authorization

Security Assessment and Authorization Policy and Procedures

ID: NIST SP 800-53 Rev. 4 CA-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1142 - Security Assessment And Authorization Policy And Procedures Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1143 - Security Assessment And Authorization Policy And Procedures Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Security Assessments

ID: NIST SP 800-53 Rev. 4 CA-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1144 - Security Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1145 - Security Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1146 - Security Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1147 - Security Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Independent Assessors

ID: NIST SP 800-53 Rev. 4 CA-2 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1148 - Security Assessments | Independent Assessors Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Specialized Assessments

ID: NIST SP 800-53 Rev. 4 CA-2 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1149 - Security Assessments | Specialized Assessments Microsoft implements this Security Assessment and Authorization control audit 1.0.0

External Organizations

ID: NIST SP 800-53 Rev. 4 CA-2 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1150 - Security Assessments | External Organizations Microsoft implements this Security Assessment and Authorization control audit 1.0.0

System Interconnections

ID: NIST SP 800-53 Rev. 4 CA-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1151 - System Interconnections Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1152 - System Interconnections Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1153 - System Interconnections Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Unclassified Non-national Security System Connections

ID: NIST SP 800-53 Rev. 4 CA-3 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1154 - System Interconnections | Unclassified Non-National Security System Connections Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Restrictions On External System Connections

ID: NIST SP 800-53 Rev. 4 CA-3 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1155 - System Interconnections | Restrictions On External System Connections Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Plan of Action and Milestones

ID: NIST SP 800-53 Rev. 4 CA-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1156 - Plan Of Action And Milestones Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1157 - Plan Of Action And Milestones Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Security Authorization

ID: NIST SP 800-53 Rev. 4 CA-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1158 - Security Authorization Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1159 - Security Authorization Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1160 - Security Authorization Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Continuous Monitoring

ID: NIST SP 800-53 Rev. 4 CA-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1161 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1162 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1163 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1164 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1165 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1166 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1167 - Continuous Monitoring Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Independent Assessment

ID: NIST SP 800-53 Rev. 4 CA-7 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1168 - Continuous Monitoring | Independent Assessment Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Trend Analyses

ID: NIST SP 800-53 Rev. 4 CA-7 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1169 - Continuous Monitoring | Trend Analyses Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Penetration Testing

ID: NIST SP 800-53 Rev. 4 CA-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1170 - Penetration Testing Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Independent Penetration Agent or Team

ID: NIST SP 800-53 Rev. 4 CA-8 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1171 - Penetration Testing | Independent Penetration Agent Or Team Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Internal System Connections

ID: NIST SP 800-53 Rev. 4 CA-9

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1172 - Internal System Connections Microsoft implements this Security Assessment and Authorization control audit 1.0.0
Microsoft Managed Control 1173 - Internal System Connections Microsoft implements this Security Assessment and Authorization control audit 1.0.0

Configuration Management

Configuration Management Policy and Procedures

ID: NIST SP 800-53 Rev. 4 CM-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1174 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1175 - Configuration Management Policy And Procedures Microsoft implements this Configuration Management control audit 1.0.0

Baseline Configuration

ID: NIST SP 800-53 Rev. 4 CM-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1176 - Baseline Configuration Microsoft implements this Configuration Management control audit 1.0.0

Reviews and Updates

ID: NIST SP 800-53 Rev. 4 CM-2 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1177 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1178 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1179 - Baseline Configuration | Reviews And Updates Microsoft implements this Configuration Management control audit 1.0.0

Automation Support for Accuracy / Currency

ID: NIST SP 800-53 Rev. 4 CM-2 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy / Currency Microsoft implements this Configuration Management control audit 1.0.0

Retention of Previous Configurations

ID: NIST SP 800-53 Rev. 4 CM-2 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations Microsoft implements this Configuration Management control audit 1.0.0

Configure Systems, Components, or Devices for High-risk Areas

ID: NIST SP 800-53 Rev. 4 CM-2 (7)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1182 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1183 - Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas Microsoft implements this Configuration Management control audit 1.0.0

Configuration Change Control

ID: NIST SP 800-53 Rev. 4 CM-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1184 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1185 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1186 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1187 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1188 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1189 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1190 - Configuration Change Control Microsoft implements this Configuration Management control audit 1.0.0

Automated Document / Notification / Prohibition of Changes

ID: NIST SP 800-53 Rev. 4 CM-3 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1191 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1192 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1193 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1194 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1195 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1196 - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes Microsoft implements this Configuration Management control audit 1.0.0

Test / Validate / Document Changes

ID: NIST SP 800-53 Rev. 4 CM-3 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1197 - Configuration Change Control | Test / Validate / Document Changes Microsoft implements this Configuration Management control audit 1.0.0

Security Representative

ID: NIST SP 800-53 Rev. 4 CM-3 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1198 - Configuration Change Control | Security Representative Microsoft implements this Configuration Management control audit 1.0.0

Cryptography Management

ID: NIST SP 800-53 Rev. 4 CM-3 (6)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management Microsoft implements this Configuration Management control audit 1.0.0

Security Impact Analysis

ID: NIST SP 800-53 Rev. 4 CM-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1200 - Security Impact Analysis Microsoft implements this Configuration Management control audit 1.0.0

Separate Test Environments

ID: NIST SP 800-53 Rev. 4 CM-4 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1201 - Security Impact Analysis | Separate Test Environments Microsoft implements this Configuration Management control audit 1.0.0

Access Restrictions for Change

ID: NIST SP 800-53 Rev. 4 CM-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1202 - Access Restrictions For Change Microsoft implements this Configuration Management control audit 1.0.0

Automated Access Enforcement / Auditing

ID: NIST SP 800-53 Rev. 4 CM-5 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement / Auditing Microsoft implements this Configuration Management control audit 1.0.0

Review System Changes

ID: NIST SP 800-53 Rev. 4 CM-5 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1204 - Access Restrictions For Change | Review System Changes Microsoft implements this Configuration Management control audit 1.0.0

Signed Components

ID: NIST SP 800-53 Rev. 4 CM-5 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1205 - Access Restrictions For Change | Signed Components Microsoft implements this Configuration Management control audit 1.0.0

Limit Production / Operational Privileges

ID: NIST SP 800-53 Rev. 4 CM-5 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1206 - Access Restrictions For Change | Limit Production / Operational Privileges Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1207 - Access Restrictions For Change | Limit Production / Operational Privileges Microsoft implements this Configuration Management control audit 1.0.0

Configuration Settings

ID: NIST SP 800-53 Rev. 4 CM-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Audit, Disabled 1.0.2
CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. AuditIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your Function Apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. AuditIfNotExists, Disabled 1.0.0
CORS should not allow every resource to access your Web Applications Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. AuditIfNotExists, Disabled 1.0.0
Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Audit, Disabled 1.0.0
Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Audit, Disabled 1.0.1
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 7.0.0
Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 3.0.1
Kubernetes cluster containers should only listen on allowed ports Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 6.1.1
Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 4.0.1
Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 4.0.1
Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 7.0.0
Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 4.0.1
Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 4.0.1
Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 4.0.1
Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 4.0.1
Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 6.1.1
Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 7.0.0
Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. disabled 3.0.1
Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 1.1.1-preview
Microsoft Managed Control 1208 - Configuration Settings Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1209 - Configuration Settings Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1210 - Configuration Settings Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1211 - Configuration Settings Microsoft implements this Configuration Management control audit 1.0.0
Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Function Apps Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Remote debugging should be turned off for Web Applications Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. AuditIfNotExists, Disabled 1.0.0
Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. AuditIfNotExists, Disabled 1.0.1-preview

Automated Central Management / Application / Verification

ID: NIST SP 800-53 Rev. 4 CM-6 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1212 - Configuration Settings | Automated Central Management / Application / Verification Microsoft implements this Configuration Management control audit 1.0.0

Respond to Unauthorized Changes

ID: NIST SP 800-53 Rev. 4 CM-6 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes Microsoft implements this Configuration Management control audit 1.0.0

Least Functionality

ID: NIST SP 800-53 Rev. 4 CM-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Microsoft Managed Control 1214 - Least Functionality Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1215 - Least Functionality Microsoft implements this Configuration Management control audit 1.0.0

Periodic Review

ID: NIST SP 800-53 Rev. 4 CM-7 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1216 - Least Functionality | Periodic Review Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1217 - Least Functionality | Periodic Review Microsoft implements this Configuration Management control audit 1.0.0

Prevent Program Execution

ID: NIST SP 800-53 Rev. 4 CM-7 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1218 - Least Functionality | Prevent Program Execution Microsoft implements this Configuration Management control audit 1.0.0

Authorized Software / Whitelisting

ID: NIST SP 800-53 Rev. 4 CM-7 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting Microsoft implements this Configuration Management control audit 1.0.0

Information System Component Inventory

ID: NIST SP 800-53 Rev. 4 CM-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1222 - Information System Component Inventory Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1223 - Information System Component Inventory Microsoft implements this Configuration Management control audit 1.0.0

Updates During Installations / Removals

ID: NIST SP 800-53 Rev. 4 CM-8 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1224 - Information System Component Inventory | Updates During Installations / Removals Microsoft implements this Configuration Management control audit 1.0.0

Automated Maintenance

ID: NIST SP 800-53 Rev. 4 CM-8 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1225 - Information System Component Inventory | Automated Maintenance Microsoft implements this Configuration Management control audit 1.0.0

Automated Unauthorized Component Detection

ID: NIST SP 800-53 Rev. 4 CM-8 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1226 - Information System Component Inventory | Automated Unauthorized Component Detection Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1227 - Information System Component Inventory | Automated Unauthorized Component Detection Microsoft implements this Configuration Management control audit 1.0.0

Accountability Information

ID: NIST SP 800-53 Rev. 4 CM-8 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1228 - Information System Component Inventory | Accountability Information Microsoft implements this Configuration Management control audit 1.0.0

No Duplicate Accounting of Components

ID: NIST SP 800-53 Rev. 4 CM-8 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1229 - Information System Component Inventory | No Duplicate Accounting Of Components Microsoft implements this Configuration Management control audit 1.0.0

Configuration Management Plan

ID: NIST SP 800-53 Rev. 4 CM-9

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1230 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1231 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1232 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1233 - Configuration Management Plan Microsoft implements this Configuration Management control audit 1.0.0

Software Usage Restrictions

ID: NIST SP 800-53 Rev. 4 CM-10

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1234 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1235 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1236 - Software Usage Restrictions Microsoft implements this Configuration Management control audit 1.0.0

Open Source Software

ID: NIST SP 800-53 Rev. 4 CM-10 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1237 - Software Usage Restrictions | Open Source Software Microsoft implements this Configuration Management control audit 1.0.0

User-installed Software

ID: NIST SP 800-53 Rev. 4 CM-11

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1238 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1239 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0
Microsoft Managed Control 1240 - User-Installed Software Microsoft implements this Configuration Management control audit 1.0.0

Alerts for Unauthorized Installations

ID: NIST SP 800-53 Rev. 4 CM-11 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations Microsoft implements this Configuration Management control audit 1.0.0

Contingency Planning

Contingency Planning Policy and Procedures

ID: NIST SP 800-53 Rev. 4 CP-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1242 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1243 - Contingency Planning Policy And Procedures Microsoft implements this Contingency Planning control audit 1.0.0

Contingency Plan

ID: NIST SP 800-53 Rev. 4 CP-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1244 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1245 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1246 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1247 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1248 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1249 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1250 - Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0

ID: NIST SP 800-53 Rev. 4 CP-2 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1251 - Contingency Plan | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0

Capacity Planning

ID: NIST SP 800-53 Rev. 4 CP-2 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1252 - Contingency Plan | Capacity Planning Microsoft implements this Contingency Planning control audit 1.0.0

Resume Essential Missions / Business Functions

ID: NIST SP 800-53 Rev. 4 CP-2 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0

Resume All Missions / Business Functions

ID: NIST SP 800-53 Rev. 4 CP-2 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0

Continue Essential Missions / Business Functions

ID: NIST SP 800-53 Rev. 4 CP-2 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business Functions Microsoft implements this Contingency Planning control audit 1.0.0

Identify Critical Assets

ID: NIST SP 800-53 Rev. 4 CP-2 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1256 - Contingency Plan | Identify Critical Assets Microsoft implements this Contingency Planning control audit 1.0.0

Contingency Training

ID: NIST SP 800-53 Rev. 4 CP-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1257 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1258 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1259 - Contingency Training Microsoft implements this Contingency Planning control audit 1.0.0

Simulated Events

ID: NIST SP 800-53 Rev. 4 CP-3 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1260 - Contingency Training | Simulated Events Microsoft implements this Contingency Planning control audit 1.0.0

Contingency Plan Testing

ID: NIST SP 800-53 Rev. 4 CP-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1261 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1262 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1263 - Contingency Plan Testing Microsoft implements this Contingency Planning control audit 1.0.0

ID: NIST SP 800-53 Rev. 4 CP-4 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1264 - Contingency Plan Testing | Coordinate With Related Plans Microsoft implements this Contingency Planning control audit 1.0.0

Alternate Processing Site

ID: NIST SP 800-53 Rev. 4 CP-4 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0

Alternate Storage Site

ID: NIST SP 800-53 Rev. 4 CP-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant storage should be enabled for Storage Accounts Use geo-redundancy to create highly available applications Audit, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1267 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1268 - Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0

Separation from Primary Site

ID: NIST SP 800-53 Rev. 4 CP-6 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant storage should be enabled for Storage Accounts Use geo-redundancy to create highly available applications Audit, Disabled 1.0.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1269 - Alternate Storage Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0

Recovery Time / Point Objectives

ID: NIST SP 800-53 Rev. 4 CP-6 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives Microsoft implements this Contingency Planning control audit 1.0.0

Accessibility

ID: NIST SP 800-53 Rev. 4 CP-6 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1271 - Alternate Storage Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0

Alternate Processing Site

ID: NIST SP 800-53 Rev. 4 CP-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Microsoft Managed Control 1272 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1273 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1274 - Alternate Processing Site Microsoft implements this Contingency Planning control audit 1.0.0

Separation from Primary Site

ID: NIST SP 800-53 Rev. 4 CP-7 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1275 - Alternate Processing Site | Separation From Primary Site Microsoft implements this Contingency Planning control audit 1.0.0

Accessibility

ID: NIST SP 800-53 Rev. 4 CP-7 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1276 - Alternate Processing Site | Accessibility Microsoft implements this Contingency Planning control audit 1.0.0

Priority of Service

ID: NIST SP 800-53 Rev. 4 CP-7 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1277 - Alternate Processing Site | Priority Of Service Microsoft implements this Contingency Planning control audit 1.0.0

Preparation for Use

ID: NIST SP 800-53 Rev. 4 CP-7 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1278 - Alternate Processing Site | Preparation For Use Microsoft implements this Contingency Planning control audit 1.0.0

Telecommunications Services

ID: NIST SP 800-53 Rev. 4 CP-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1279 - Telecommunications Services Microsoft implements this Contingency Planning control audit 1.0.0

Priority of Service Provisions

ID: NIST SP 800-53 Rev. 4 CP-8 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions Microsoft implements this Contingency Planning control audit 1.0.0

Single Points of Failure

ID: NIST SP 800-53 Rev. 4 CP-8 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1282 - Telecommunications Services | Single Points Of Failure Microsoft implements this Contingency Planning control audit 1.0.0

Separation of Primary / Alternate Providers

ID: NIST SP 800-53 Rev. 4 CP-8 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1283 - Telecommunications Services | Separation Of Primary / Alternate Providers Microsoft implements this Contingency Planning control audit 1.0.0

Provider Contingency Plan

ID: NIST SP 800-53 Rev. 4 CP-8 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1284 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1285 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1286 - Telecommunications Services | Provider Contingency Plan Microsoft implements this Contingency Planning control audit 1.0.0

Information System Backup

ID: NIST SP 800-53 Rev. 4 CP-9

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 2.0.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for MySQL Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Geo-redundant backup should be enabled for Azure Database for PostgreSQL Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
Key vaults should have purge protection enabled Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Audit, Deny, Disabled 2.0.0
Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Audit, Deny, Disabled 2.0.0
Microsoft Managed Control 1287 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1288 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1289 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0
Microsoft Managed Control 1290 - Information System Backup Microsoft implements this Contingency Planning control audit 1.0.0

Testing for Reliability / Integrity

ID: NIST SP 800-53 Rev. 4 CP-9 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1291 - Information System Backup | Testing For Reliability / Integrity Microsoft implements this Contingency Planning control audit 1.0.0

Test Restoration Using Sampling

ID: NIST SP 800-53 Rev. 4 CP-9 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1292 - Information System Backup | Test Restoration Using Sampling Microsoft implements this Contingency Planning control audit 1.0.0

Separate Storage for Critical Information

ID: NIST SP 800-53 Rev. 4 CP-9 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1293 - Information System Backup | Separate Storage For Critical Information Microsoft implements this Contingency Planning control audit 1.0.0

Transfer to Alternate Storage Site

ID: NIST SP 800-53 Rev. 4 CP-9 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1294 - Information System Backup | Transfer To Alternate Storage Site Microsoft implements this Contingency Planning control audit 1.0.0

Information System Recovery and Reconstitution

ID: NIST SP 800-53 Rev. 4 CP-10

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1295 - Information System Recovery And Reconstitution Microsoft implements this Contingency Planning control audit 1.0.0

Transaction Recovery

ID: NIST SP 800-53 Rev. 4 CP-10 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1296 - Information System Recovery And Reconstitution | Transaction Recovery Microsoft implements this Contingency Planning control audit 1.0.0

Restore Within Time Period

ID: NIST SP 800-53 Rev. 4 CP-10 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1297 - Information System Recovery And Reconstitution | Restore Within Time Period Microsoft implements this Contingency Planning control audit 1.0.0

Identification and Authentication

Identification and Authentication Policy and Procedures

ID: NIST SP 800-53 Rev. 4 IA-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1298 - Identification And Authentication Policy And Procedures Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1299 - Identification And Authentication Policy And Procedures Microsoft implements this Identification and Authentication control audit 1.0.0

Identification and Authentication (organizational Users)

ID: NIST SP 800-53 Rev. 4 IA-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1300 - Identification And Authentication (Organizational Users) Microsoft implements this Identification and Authentication control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Service principals should be used to protect your subscriptions instead of management certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists, Disabled 1.0.0

Network Access to Privileged Accounts

ID: NIST SP 800-53 Rev. 4 IA-2 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1301 - Identification And Authentication (Org. Users) | Network Access To Privileged Accounts Microsoft implements this Identification and Authentication control audit 1.0.0

Network Access to Non-privileged Accounts

ID: NIST SP 800-53 Rev. 4 IA-2 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1302 - Identification And Authentication (Org. Users) | Network Access To Non-Privileged Accounts Microsoft implements this Identification and Authentication control audit 1.0.0

Local Access to Privileged Accounts

ID: NIST SP 800-53 Rev. 4 IA-2 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1303 - Identification And Authentication (Org. Users) | Local Access To Privileged Accounts Microsoft implements this Identification and Authentication control audit 1.0.0

Local Access to Non-privileged Accounts

ID: NIST SP 800-53 Rev. 4 IA-2 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1304 - Identification And Authentication (Org. Users) | Local Access To Non-Privileged Accounts Microsoft implements this Identification and Authentication control audit 1.0.0

Group Authentication

ID: NIST SP 800-53 Rev. 4 IA-2 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1305 - Identification And Authentication (Org. Users) | Group Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Network Access to Privileged Accounts - Replay Resistant

ID: NIST SP 800-53 Rev. 4 IA-2 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1306 - Identification And Authentication (Org. Users) | Net. Access To Priv. Accts. - Replay Microsoft implements this Identification and Authentication control audit 1.0.0

Network Access to Non-privileged Accounts - Replay Resistant

ID: NIST SP 800-53 Rev. 4 IA-2 (9)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1307 - Identification And Authentication (Org. Users) | Net. Access To Non-Priv. Accts. - Replay Microsoft implements this Identification and Authentication control audit 1.0.0

Remote Access - Separate Device

ID: NIST SP 800-53 Rev. 4 IA-2 (11)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1308 - Identification And Authentication (Org. Users) | Remote Access - Separate Device Microsoft implements this Identification and Authentication control audit 1.0.0

Acceptance of PIV Credentials

ID: NIST SP 800-53 Rev. 4 IA-2 (12)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance Of Piv Credentials Microsoft implements this Identification and Authentication control audit 1.0.0

Device Identification and Authentication

ID: NIST SP 800-53 Rev. 4 IA-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1310 - Device Identification And Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Identifier Management

ID: NIST SP 800-53 Rev. 4 IA-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Cognitive Services accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Audit, Deny, Disabled 1.0.0
Managed identity should be used in your API App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Function App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Managed identity should be used in your Web App Use a managed identity for enhanced authentication security AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1311 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1312 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1313 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1314 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1315 - Identifier Management Microsoft implements this Identification and Authentication control audit 1.0.0
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric Audit, Deny, Disabled 1.1.0
Service principals should be used to protect your subscriptions instead of management certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists, Disabled 1.0.0

Identify User Status

ID: NIST SP 800-53 Rev. 4 IA-4 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1316 - Identifier Management | Identify User Status Microsoft implements this Identification and Authentication control audit 1.0.0

Authenticator Management

ID: NIST SP 800-53 Rev. 4 IA-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 1.0.0
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. AuditIfNotExists, Disabled 2.0.1
Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. disabled 2.1.0-preview
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Audit, Deny, Disabled 1.0.2
Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Audit, Deny, Disabled 1.0.2
Microsoft Managed Control 1317 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1318 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1319 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1320 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1321 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1322 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1323 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1324 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1325 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1326 - Authenticator Management Microsoft implements this Identification and Authentication control audit 1.0.0

Password-based Authentication

ID: NIST SP 800-53 Rev. 4 IA-5 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 1.0.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters AuditIfNotExists, Disabled 1.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 1.0.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.0.1
Microsoft Managed Control 1327 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1328 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1329 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1330 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1331 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1332 - Authenticator Management | Password-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Pki-based Authentication

ID: NIST SP 800-53 Rev. 4 IA-5 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1333 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1334 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1335 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0
Microsoft Managed Control 1336 - Authenticator Management | Pki-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

In-person or Trusted Third-party Registration

ID: NIST SP 800-53 Rev. 4 IA-5 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party Registration Microsoft implements this Identification and Authentication control audit 1.0.0

Automated Support for Password Strength Determination

ID: NIST SP 800-53 Rev. 4 IA-5 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1338 - Authenticator Management | Automated Support For Password Strength Determination Microsoft implements this Identification and Authentication control audit 1.0.0

Protection of Authenticators

ID: NIST SP 800-53 Rev. 4 IA-5 (6)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1339 - Authenticator Management | Protection Of Authenticators Microsoft implements this Identification and Authentication control audit 1.0.0

No Embedded Unencrypted Static Authenticators

ID: NIST SP 800-53 Rev. 4 IA-5 (7)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1340 - Authenticator Management | No Embedded Unencrypted Static Authenticators Microsoft implements this Identification and Authentication control audit 1.0.0

Multiple Information System Accounts

ID: NIST SP 800-53 Rev. 4 IA-5 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1341 - Authenticator Management | Multiple Information System Accounts Microsoft implements this Identification and Authentication control audit 1.0.0

Hardware Token-based Authentication

ID: NIST SP 800-53 Rev. 4 IA-5 (11)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Expiration of Cached Authenticators

ID: NIST SP 800-53 Rev. 4 IA-5 (13)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators Microsoft implements this Identification and Authentication control audit 1.0.0

Authenticator Feedback

ID: NIST SP 800-53 Rev. 4 IA-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1344 - Authenticator Feedback Microsoft implements this Identification and Authentication control audit 1.0.0

Cryptographic Module Authentication

ID: NIST SP 800-53 Rev. 4 IA-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1345 - Cryptographic Module Authentication Microsoft implements this Identification and Authentication control audit 1.0.0

Identification and Authentication (non-organizational Users)

ID: NIST SP 800-53 Rev. 4 IA-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1346 - Identification And Authentication (Non-Organizational Users) Microsoft implements this Identification and Authentication control audit 1.0.0

Acceptance of PIV Credentials from Other Agencies

ID: NIST SP 800-53 Rev. 4 IA-8 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1347 - Identification And Authentication (Non-Org. Users) | Acceptance Of PIV Creds. From Other Agys. Microsoft implements this Identification and Authentication control audit 1.0.0

Acceptance of Third-party Credentials

ID: NIST SP 800-53 Rev. 4 IA-8 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1348 - Identification And Authentication (Non-Org. Users) | Acceptance Of Third-Party Credentials Microsoft implements this Identification and Authentication control audit 1.0.0

Use of Ficam-approved Products

ID: NIST SP 800-53 Rev. 4 IA-8 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1349 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Approved Products Microsoft implements this Identification and Authentication control audit 1.0.0

Use of Ficam-issued Profiles

ID: NIST SP 800-53 Rev. 4 IA-8 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1350 - Identification And Authentication (Non-Org. Users) | Use Of FICAM-Issued Profiles Microsoft implements this Identification and Authentication control audit 1.0.0

Incident Response

Incident Response Policy and Procedures

ID: NIST SP 800-53 Rev. 4 IR-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1351 - Incident Response Policy And Procedures Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1352 - Incident Response Policy And Procedures Microsoft implements this Incident Response control audit 1.0.0

Incident Response Training

ID: NIST SP 800-53 Rev. 4 IR-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1353 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1354 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1355 - Incident Response Training Microsoft implements this Incident Response control audit 1.0.0

Simulated Events

ID: NIST SP 800-53 Rev. 4 IR-2 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1356 - Incident Response Training | Simulated Events Microsoft implements this Incident Response control audit 1.0.0

Automated Training Environments

ID: NIST SP 800-53 Rev. 4 IR-2 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1357 - Incident Response Training | Automated Training Environments Microsoft implements this Incident Response control audit 1.0.0

Incident Response Testing

ID: NIST SP 800-53 Rev. 4 IR-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1358 - Incident Response Testing Microsoft implements this Incident Response control audit 1.0.0

ID: NIST SP 800-53 Rev. 4 IR-3 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1359 - Incident Response Testing | Coordination With Related Plans Microsoft implements this Incident Response control audit 1.0.0

Incident Handling

ID: NIST SP 800-53 Rev. 4 IR-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1360 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1361 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1362 - Incident Handling Microsoft implements this Incident Response control audit 1.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Automated Incident Handling Processes

ID: NIST SP 800-53 Rev. 4 IR-4 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1363 - Incident Handling | Automated Incident Handling Processes Microsoft implements this Incident Response control audit 1.0.0

Dynamic Reconfiguration

ID: NIST SP 800-53 Rev. 4 IR-4 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1364 - Incident Handling | Dynamic Reconfiguration Microsoft implements this Incident Response control audit 1.0.0

Continuity of Operations

ID: NIST SP 800-53 Rev. 4 IR-4 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1365 - Incident Handling | Continuity Of Operations Microsoft implements this Incident Response control audit 1.0.0

Information Correlation

ID: NIST SP 800-53 Rev. 4 IR-4 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1366 - Incident Handling | Information Correlation Microsoft implements this Incident Response control audit 1.0.0

Insider Threats - Specific Capabilities

ID: NIST SP 800-53 Rev. 4 IR-4 (6)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities Microsoft implements this Incident Response control audit 1.0.0

Correlation with External Organizations

ID: NIST SP 800-53 Rev. 4 IR-4 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1368 - Incident Handling | Correlation With External Organizations Microsoft implements this Incident Response control audit 1.0.0

Incident Monitoring

ID: NIST SP 800-53 Rev. 4 IR-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Microsoft Managed Control 1369 - Incident Monitoring Microsoft implements this Incident Response control audit 1.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Automated Tracking / Data Collection / Analysis

ID: NIST SP 800-53 Rev. 4 IR-5 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection / Analysis Microsoft implements this Incident Response control audit 1.0.0

Incident Reporting

ID: NIST SP 800-53 Rev. 4 IR-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1371 - Incident Reporting Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1372 - Incident Reporting Microsoft implements this Incident Response control audit 1.0.0

Automated Reporting

ID: NIST SP 800-53 Rev. 4 IR-6 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1373 - Incident Reporting | Automated Reporting Microsoft implements this Incident Response control audit 1.0.0

ID: NIST SP 800-53 Rev. 4 IR-6 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Incident Response Assistance

ID: NIST SP 800-53 Rev. 4 IR-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1374 - Incident Response Assistance Microsoft implements this Incident Response control audit 1.0.0

Automation Support for Availability of Information / Support

ID: NIST SP 800-53 Rev. 4 IR-7 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1375 - Incident Response Assistance | Automation Support For Availability Of Information / Support Microsoft implements this Incident Response control audit 1.0.0

Coordination with External Providers

ID: NIST SP 800-53 Rev. 4 IR-7 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1376 - Incident Response Assistance | Coordination With External Providers Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1377 - Incident Response Assistance | Coordination With External Providers Microsoft implements this Incident Response control audit 1.0.0

Incident Response Plan

ID: NIST SP 800-53 Rev. 4 IR-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1378 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1379 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1380 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1381 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1382 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1383 - Incident Response Plan Microsoft implements this Incident Response control audit 1.0.0

Information Spillage Response

ID: NIST SP 800-53 Rev. 4 IR-9

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1384 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1385 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1386 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1387 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1388 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0
Microsoft Managed Control 1389 - Information Spillage Response Microsoft implements this Incident Response control audit 1.0.0

Responsible Personnel

ID: NIST SP 800-53 Rev. 4 IR-9 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1390 - Information Spillage Response | Responsible Personnel Microsoft implements this Incident Response control audit 1.0.0

Training

ID: NIST SP 800-53 Rev. 4 IR-9 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1391 - Information Spillage Response | Training Microsoft implements this Incident Response control audit 1.0.0

Post-spill Operations

ID: NIST SP 800-53 Rev. 4 IR-9 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1392 - Information Spillage Response | Post-Spill Operations Microsoft implements this Incident Response control audit 1.0.0

Exposure to Unauthorized Personnel

ID: NIST SP 800-53 Rev. 4 IR-9 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized Personnel Microsoft implements this Incident Response control audit 1.0.0

Maintenance

System Maintenance Policy and Procedures

ID: NIST SP 800-53 Rev. 4 MA-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1394 - System Maintenance Policy And Procedures Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1395 - System Maintenance Policy And Procedures Microsoft implements this Maintenance control audit 1.0.0

Controlled Maintenance

ID: NIST SP 800-53 Rev. 4 MA-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1396 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1397 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1398 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1399 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1400 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1401 - Controlled Maintenance Microsoft implements this Maintenance control audit 1.0.0

Automated Maintenance Activities

ID: NIST SP 800-53 Rev. 4 MA-2 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities Microsoft implements this Maintenance control audit 1.0.0

Maintenance Tools

ID: NIST SP 800-53 Rev. 4 MA-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1404 - Maintenance Tools Microsoft implements this Maintenance control audit 1.0.0

Inspect Tools

ID: NIST SP 800-53 Rev. 4 MA-3 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1405 - Maintenance Tools | Inspect Tools Microsoft implements this Maintenance control audit 1.0.0

Inspect Media

ID: NIST SP 800-53 Rev. 4 MA-3 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1406 - Maintenance Tools | Inspect Media Microsoft implements this Maintenance control audit 1.0.0

Prevent Unauthorized Removal

ID: NIST SP 800-53 Rev. 4 MA-3 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal Microsoft implements this Maintenance control audit 1.0.0

Nonlocal Maintenance

ID: NIST SP 800-53 Rev. 4 MA-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1411 - Nonlocal Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1412 - Nonlocal Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1413 - Nonlocal Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1414 - Nonlocal Maintenance Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1415 - Nonlocal Maintenance Microsoft implements this Maintenance control audit 1.0.0

Document Nonlocal Maintenance

ID: NIST SP 800-53 Rev. 4 MA-4 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance Microsoft implements this Maintenance control audit 1.0.0

Comparable Security / Sanitization

ID: NIST SP 800-53 Rev. 4 MA-4 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization Microsoft implements this Maintenance control audit 1.0.0

Cryptographic Protection

ID: NIST SP 800-53 Rev. 4 MA-4 (6)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection Microsoft implements this Maintenance control audit 1.0.0

Maintenance Personnel

ID: NIST SP 800-53 Rev. 4 MA-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1420 - Maintenance Personnel Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1421 - Maintenance Personnel Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1422 - Maintenance Personnel Microsoft implements this Maintenance control audit 1.0.0

Individuals Without Appropriate Access

ID: NIST SP 800-53 Rev. 4 MA-5 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate Access Microsoft implements this Maintenance control audit 1.0.0
Microsoft Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate Access Microsoft implements this Maintenance control audit 1.0.0

Timely Maintenance

ID: NIST SP 800-53 Rev. 4 MA-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1425 - Timely Maintenance Microsoft implements this Maintenance control audit 1.0.0

Media Protection

Media Protection Policy and Procedures

ID: NIST SP 800-53 Rev. 4 MP-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1426 - Media Protection Policy And Procedures Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1427 - Media Protection Policy And Procedures Microsoft implements this Media Protection control audit 1.0.0

Media Access

ID: NIST SP 800-53 Rev. 4 MP-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1428 - Media Access Microsoft implements this Media Protection control audit 1.0.0

Media Marking

ID: NIST SP 800-53 Rev. 4 MP-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1429 - Media Marking Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1430 - Media Marking Microsoft implements this Media Protection control audit 1.0.0

Media Storage

ID: NIST SP 800-53 Rev. 4 MP-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1431 - Media Storage Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1432 - Media Storage Microsoft implements this Media Protection control audit 1.0.0

Media Transport

ID: NIST SP 800-53 Rev. 4 MP-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1433 - Media Transport Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1434 - Media Transport Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1435 - Media Transport Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1436 - Media Transport Microsoft implements this Media Protection control audit 1.0.0

Cryptographic Protection

ID: NIST SP 800-53 Rev. 4 MP-5 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1437 - Media Transport | Cryptographic Protection Microsoft implements this Media Protection control audit 1.0.0

Media Sanitization

ID: NIST SP 800-53 Rev. 4 MP-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1438 - Media Sanitization Microsoft implements this Media Protection control audit 1.0.0
Microsoft Managed Control 1439 - Media Sanitization Microsoft implements this Media Protection control audit 1.0.0

Review / Approve / Track / Document / Verify

ID: NIST SP 800-53 Rev. 4 MP-6 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document / Verify Microsoft implements this Media Protection control audit 1.0.0

Equipment Testing

ID: NIST SP 800-53 Rev. 4 MP-6 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1441 - Media Sanitization | Equipment Testing Microsoft implements this Media Protection control audit 1.0.0

Nondestructive Techniques

ID: NIST SP 800-53 Rev. 4 MP-6 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1442 - Media Sanitization | Nondestructive Techniques Microsoft implements this Media Protection control audit 1.0.0

Media Use

ID: NIST SP 800-53 Rev. 4 MP-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1443 - Media Use Microsoft implements this Media Protection control audit 1.0.0

Prohibit Use Without Owner

ID: NIST SP 800-53 Rev. 4 MP-7 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1444 - Media Use | Prohibit Use Without Owner Microsoft implements this Media Protection control audit 1.0.0

Physical and Environmental Protection

Physical and Environmental Protection Policy and Procedures

ID: NIST SP 800-53 Rev. 4 PE-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1445 - Physical And Environmental Protection Policy And Procedures Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1446 - Physical And Environmental Protection Policy And Procedures Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Physical Access Authorizations

ID: NIST SP 800-53 Rev. 4 PE-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1447 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1448 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1449 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1450 - Physical Access Authorizations Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Physical Access Control

ID: NIST SP 800-53 Rev. 4 PE-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1451 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1452 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1453 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1454 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1455 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1456 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1457 - Physical Access Control Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Information System Access

ID: NIST SP 800-53 Rev. 4 PE-3 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1458 - Physical Access Control | Information System Access Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Access Control for Transmission Medium

ID: NIST SP 800-53 Rev. 4 PE-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1459 - Access Control For Transmission Medium Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Access Control for Output Devices

ID: NIST SP 800-53 Rev. 4 PE-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1460 - Access Control For Output Devices Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Monitoring Physical Access

ID: NIST SP 800-53 Rev. 4 PE-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1461 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1462 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1463 - Monitoring Physical Access Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Intrusion Alarms / Surveillance Equipment

ID: NIST SP 800-53 Rev. 4 PE-6 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Monitoring Physical Access to Information Systems

ID: NIST SP 800-53 Rev. 4 PE-6 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access To Information Systems Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Visitor Access Records

ID: NIST SP 800-53 Rev. 4 PE-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1466 - Visitor Access Records Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1467 - Visitor Access Records Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Automated Records Maintenance / Review

ID: NIST SP 800-53 Rev. 4 PE-8 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1468 - Visitor Access Records | Automated Records Maintenance / Review Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Power Equipment and Cabling

ID: NIST SP 800-53 Rev. 4 PE-9

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1469 - Power Equipment And Cabling Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Emergency Shutoff

ID: NIST SP 800-53 Rev. 4 PE-10

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1470 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1471 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1472 - Emergency Shutoff Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Emergency Power

ID: NIST SP 800-53 Rev. 4 PE-11

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1473 - Emergency Power Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Long-term Alternate Power Supply - Minimal Operational Capability

ID: NIST SP 800-53 Rev. 4 PE-11 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Emergency Lighting

ID: NIST SP 800-53 Rev. 4 PE-12

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1475 - Emergency Lighting Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Fire Protection

ID: NIST SP 800-53 Rev. 4 PE-13

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1476 - Fire Protection Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Detection Devices / Systems

ID: NIST SP 800-53 Rev. 4 PE-13 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1477 - Fire Protection | Detection Devices / Systems Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Suppression Devices / Systems

ID: NIST SP 800-53 Rev. 4 PE-13 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1478 - Fire Protection | Suppression Devices / Systems Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Automatic Fire Suppression

ID: NIST SP 800-53 Rev. 4 PE-13 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1479 - Fire Protection | Automatic Fire Suppression Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Temperature and Humidity Controls

ID: NIST SP 800-53 Rev. 4 PE-14

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1480 - Temperature And Humidity Controls Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1481 - Temperature And Humidity Controls Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Monitoring with Alarms / Notifications

ID: NIST SP 800-53 Rev. 4 PE-14 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1482 - Temperature And Humidity Controls | Monitoring With Alarms / Notifications Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Water Damage Protection

ID: NIST SP 800-53 Rev. 4 PE-15

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1483 - Water Damage Protection Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Automation Support

ID: NIST SP 800-53 Rev. 4 PE-15 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1484 - Water Damage Protection | Automation Support Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Delivery and Removal

ID: NIST SP 800-53 Rev. 4 PE-16

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1485 - Delivery And Removal Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Alternate Work Site

ID: NIST SP 800-53 Rev. 4 PE-17

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1486 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1487 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control audit 1.0.0
Microsoft Managed Control 1488 - Alternate Work Site Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Location of Information System Components

ID: NIST SP 800-53 Rev. 4 PE-18

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1489 - Location Of Information System Components Microsoft implements this Physical and Environmental Protection control audit 1.0.0

Planning

Security Planning Policy and Procedures

ID: NIST SP 800-53 Rev. 4 PL-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1490 - Security Planning Policy And Procedures Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1491 - Security Planning Policy And Procedures Microsoft implements this Planning control audit 1.0.0

System Security Plan

ID: NIST SP 800-53 Rev. 4 PL-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1492 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1493 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1494 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1495 - System Security Plan Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1496 - System Security Plan Microsoft implements this Planning control audit 1.0.0

Plan / Coordinate with Other Organizational Entities

ID: NIST SP 800-53 Rev. 4 PL-2 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1497 - System Security Plan | Plan / Coordinate With Other Organizational Entities Microsoft implements this Planning control audit 1.0.0

Rules of Behavior

ID: NIST SP 800-53 Rev. 4 PL-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1498 - Rules Of Behavior Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1499 - Rules Of Behavior Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1500 - Rules Of Behavior Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1501 - Rules Of Behavior Microsoft implements this Planning control audit 1.0.0

Social Media and Networking Restrictions

ID: NIST SP 800-53 Rev. 4 PL-4 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions Microsoft implements this Planning control audit 1.0.0

Information Security Architecture

ID: NIST SP 800-53 Rev. 4 PL-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1503 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1504 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0
Microsoft Managed Control 1505 - Information Security Architecture Microsoft implements this Planning control audit 1.0.0

Personnel Security

Personnel Security Policy and Procedures

ID: NIST SP 800-53 Rev. 4 PS-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1506 - Personnel Security Policy And Procedures Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1507 - Personnel Security Policy And Procedures Microsoft implements this Personnel Security control audit 1.0.0

Position Risk Designation

ID: NIST SP 800-53 Rev. 4 PS-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1508 - Position Risk Designation Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1509 - Position Risk Designation Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1510 - Position Risk Designation Microsoft implements this Personnel Security control audit 1.0.0

Personnel Screening

ID: NIST SP 800-53 Rev. 4 PS-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1511 - Personnel Screening Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1512 - Personnel Screening Microsoft implements this Personnel Security control audit 1.0.0

Information with Special Protection Measures

ID: NIST SP 800-53 Rev. 4 PS-3 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1513 - Personnel Screening | Information With Special Protection Measures Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1514 - Personnel Screening | Information With Special Protection Measures Microsoft implements this Personnel Security control audit 1.0.0

Personnel Termination

ID: NIST SP 800-53 Rev. 4 PS-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1515 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1516 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1517 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1518 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1519 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1520 - Personnel Termination Microsoft implements this Personnel Security control audit 1.0.0

Automated Notification

ID: NIST SP 800-53 Rev. 4 PS-4 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1521 - Personnel Termination | Automated Notification Microsoft implements this Personnel Security control audit 1.0.0

Personnel Transfer

ID: NIST SP 800-53 Rev. 4 PS-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1522 - Personnel Transfer Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1523 - Personnel Transfer Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1524 - Personnel Transfer Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1525 - Personnel Transfer Microsoft implements this Personnel Security control audit 1.0.0

Access Agreements

ID: NIST SP 800-53 Rev. 4 PS-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1526 - Access Agreements Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1527 - Access Agreements Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1528 - Access Agreements Microsoft implements this Personnel Security control audit 1.0.0

Third-party Personnel Security

ID: NIST SP 800-53 Rev. 4 PS-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1529 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1530 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1531 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1532 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1533 - Third-Party Personnel Security Microsoft implements this Personnel Security control audit 1.0.0

Personnel Sanctions

ID: NIST SP 800-53 Rev. 4 PS-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1534 - Personnel Sanctions Microsoft implements this Personnel Security control audit 1.0.0
Microsoft Managed Control 1535 - Personnel Sanctions Microsoft implements this Personnel Security control audit 1.0.0

Risk Assessment

Risk Assessment Policy and Procedures

ID: NIST SP 800-53 Rev. 4 RA-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1536 - Risk Assessment Policy And Procedures Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1537 - Risk Assessment Policy And Procedures Microsoft implements this Risk Assessment control audit 1.0.0

Security Categorization

ID: NIST SP 800-53 Rev. 4 RA-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1538 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1539 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1540 - Security Categorization Microsoft implements this Risk Assessment control audit 1.0.0

Risk Assessment

ID: NIST SP 800-53 Rev. 4 RA-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1541 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1542 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1543 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1544 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1545 - Risk Assessment Microsoft implements this Risk Assessment control audit 1.0.0

Vulnerability Scanning

ID: NIST SP 800-53 Rev. 4 RA-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Azure SQL Database servers should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. AuditIfNotExists, Disabled 1.0.3
Azure Defender for DNS should be enabled Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0-preview
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . AuditIfNotExists, Disabled 1.0.0
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Defender for SQL servers on machines should be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.2
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure Defender for Storage should be enabled Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. AuditIfNotExists, Disabled 1.0.3
Microsoft Managed Control 1546 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1547 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1548 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1549 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
Microsoft Managed Control 1550 - Vulnerability Scanning Microsoft implements this Risk Assessment control audit 1.0.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. AuditIfNotExists, Disabled 1.0.0
Vulnerabilities in Azure Container Registry images should be remediated Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. AuditIfNotExists, Disabled 2.0.0
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 2.0.0
Vulnerability assessment should be enabled on your Synapse workspaces Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. AuditIfNotExists, Disabled 1.0.0

Update Tool Capability

ID: NIST SP 800-53 Rev. 4 RA-5 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1551 - Vulnerability Scanning | Update Tool Capability Microsoft implements this Risk Assessment control audit 1.0.0

Update by Frequency / Prior to New Scan / When Identified

ID: NIST SP 800-53 Rev. 4 RA-5 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified Microsoft implements this Risk Assessment control audit 1.0.0

Breadth / Depth of Coverage

ID: NIST SP 800-53 Rev. 4 RA-5 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage Microsoft implements this Risk Assessment control audit 1.0.0

Discoverable Information

ID: NIST SP 800-53 Rev. 4 RA-5 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1554 - Vulnerability Scanning | Discoverable Information Microsoft implements this Risk Assessment control audit 1.0.0

Privileged Access

ID: NIST SP 800-53 Rev. 4 RA-5 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1555 - Vulnerability Scanning | Privileged Access Microsoft implements this Risk Assessment control audit 1.0.0

Automated Trend Analyses

ID: NIST SP 800-53 Rev. 4 RA-5 (6)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses Microsoft implements this Risk Assessment control audit 1.0.0

Review Historic Audit Logs

ID: NIST SP 800-53 Rev. 4 RA-5 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs Microsoft implements this Risk Assessment control audit 1.0.0

Correlate Scanning Information

ID: NIST SP 800-53 Rev. 4 RA-5 (10)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information Microsoft implements this Risk Assessment control audit 1.0.0

System and Services Acquisition

System and Services Acquisition Policy and Procedures

ID: NIST SP 800-53 Rev. 4 SA-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1559 - System And Services Acquisition Policy And Procedures Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1560 - System And Services Acquisition Policy And Procedures Microsoft implements this System and Services Acquisition control audit 1.0.0

Allocation of Resources

ID: NIST SP 800-53 Rev. 4 SA-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1561 - Allocation Of Resources Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1562 - Allocation Of Resources Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1563 - Allocation Of Resources Microsoft implements this System and Services Acquisition control audit 1.0.0

System Development Life Cycle

ID: NIST SP 800-53 Rev. 4 SA-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1564 - System Development Life Cycle Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1565 - System Development Life Cycle Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1566 - System Development Life Cycle Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1567 - System Development Life Cycle Microsoft implements this System and Services Acquisition control audit 1.0.0

Acquisition Process

ID: NIST SP 800-53 Rev. 4 SA-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1568 - Acquisition Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1569 - Acquisition Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1570 - Acquisition Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1571 - Acquisition Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1572 - Acquisition Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1573 - Acquisition Process Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1574 - Acquisition Process Microsoft implements this System and Services Acquisition control audit 1.0.0

Functional Properties of Security Controls

ID: NIST SP 800-53 Rev. 4 SA-4 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1575 - Acquisition Process | Functional Properties Of Security Controls Microsoft implements this System and Services Acquisition control audit 1.0.0

Design / Implementation Information for Security Controls

ID: NIST SP 800-53 Rev. 4 SA-4 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1576 - Acquisition Process | Design / Implementation Information For Security Controls Microsoft implements this System and Services Acquisition control audit 1.0.0

Continuous Monitoring Plan

ID: NIST SP 800-53 Rev. 4 SA-4 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan Microsoft implements this System and Services Acquisition control audit 1.0.0

Functions / Ports / Protocols / Services in Use

ID: NIST SP 800-53 Rev. 4 SA-4 (9)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols / Services In Use Microsoft implements this System and Services Acquisition control audit 1.0.0

Use of Approved PIV Products

ID: NIST SP 800-53 Rev. 4 SA-4 (10)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products Microsoft implements this System and Services Acquisition control audit 1.0.0

Information System Documentation

ID: NIST SP 800-53 Rev. 4 SA-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1580 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1581 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1582 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1583 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1584 - Information System Documentation Microsoft implements this System and Services Acquisition control audit 1.0.0

Security Engineering Principles

ID: NIST SP 800-53 Rev. 4 SA-8

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1585 - Security Engineering Principles Microsoft implements this System and Services Acquisition control audit 1.0.0

External Information System Services

ID: NIST SP 800-53 Rev. 4 SA-9

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1586 - External Information System Services Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1587 - External Information System Services Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1588 - External Information System Services Microsoft implements this System and Services Acquisition control audit 1.0.0

Risk Assessments / Organizational Approvals

ID: NIST SP 800-53 Rev. 4 SA-9 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1589 - External Information System Services | Risk Assessments / Organizational Approvals Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1590 - External Information System Services | Risk Assessments / Organizational Approvals Microsoft implements this System and Services Acquisition control audit 1.0.0

Identification of Functions / Ports / Protocols / Services

ID: NIST SP 800-53 Rev. 4 SA-9 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1591 - External Information System Services | Ident. Of Functions / Ports / Protocols / Services Microsoft implements this System and Services Acquisition control audit 1.0.0

Consistent Interests of Consumers and Providers

ID: NIST SP 800-53 Rev. 4 SA-9 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1592 - External Information System Services | Consistent Interests Of Consumers And Providers Microsoft implements this System and Services Acquisition control audit 1.0.0

Processing, Storage, and Service Location

ID: NIST SP 800-53 Rev. 4 SA-9 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1593 - External Information System Services | Processing, Storage, And Service Location Microsoft implements this System and Services Acquisition control audit 1.0.0

Developer Configuration Management

ID: NIST SP 800-53 Rev. 4 SA-10

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1594 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1595 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1596 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1597 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1598 - Developer Configuration Management Microsoft implements this System and Services Acquisition control audit 1.0.0

Software / Firmware Integrity Verification

ID: NIST SP 800-53 Rev. 4 SA-10 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1599 - Developer Configuration Management | Software / Firmware Integrity Verification Microsoft implements this System and Services Acquisition control audit 1.0.0

Developer Security Testing and Evaluation

ID: NIST SP 800-53 Rev. 4 SA-11

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1600 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1601 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1602 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1603 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1604 - Developer Security Testing And Evaluation Microsoft implements this System and Services Acquisition control audit 1.0.0

Static Code Analysis

ID: NIST SP 800-53 Rev. 4 SA-11 (1)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1605 - Developer Security Testing And Evaluation | Static Code Analysis Microsoft implements this System and Services Acquisition control audit 1.0.0

Threat and Vulnerability Analyses

ID: NIST SP 800-53 Rev. 4 SA-11 (2)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1606 - Developer Security Testing And Evaluation | Threat And Vulnerability Analyses Microsoft implements this System and Services Acquisition control audit 1.0.0

Dynamic Code Analysis

ID: NIST SP 800-53 Rev. 4 SA-11 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic Code Analysis Microsoft implements this System and Services Acquisition control audit 1.0.0

Supply Chain Protection

ID: NIST SP 800-53 Rev. 4 SA-12

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1608 - Supply Chain Protection Microsoft implements this System and Services Acquisition control audit 1.0.0

Development Process, Standards, and Tools

ID: NIST SP 800-53 Rev. 4 SA-15

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1609 - Development Process, Standards, And Tools Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1610 - Development Process, Standards, And Tools Microsoft implements this System and Services Acquisition control audit 1.0.0

Developer-provided Training

ID: NIST SP 800-53 Rev. 4 SA-16

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1611 - Developer-Provided Training Microsoft implements this System and Services Acquisition control audit 1.0.0

Developer Security Architecture and Design

ID: NIST SP 800-53 Rev. 4 SA-17

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1612 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1613 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0
Microsoft Managed Control 1614 - Developer Security Architecture And Design Microsoft implements this System and Services Acquisition control audit 1.0.0

System and Communications Protection

System and Communications Protection Policy and Procedures

ID: NIST SP 800-53 Rev. 4 SC-1

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1615 - System And Communications Protection Policy And Procedures Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1616 - System And Communications Protection Policy And Procedures Microsoft implements this System and Communications Protection control audit 1.0.0

Application Partitioning

ID: NIST SP 800-53 Rev. 4 SC-2

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1617 - Application Partitioning Microsoft implements this System and Communications Protection control audit 1.0.0

Security Function Isolation

ID: NIST SP 800-53 Rev. 4 SC-3

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1618 - Security Function Isolation Microsoft implements this System and Communications Protection control audit 1.0.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). AuditIfNotExists, Disabled 1.1.1

Information in Shared Resources

ID: NIST SP 800-53 Rev. 4 SC-4

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1619 - Information In Shared Resources Microsoft implements this System and Communications Protection control audit 1.0.0

Denial of Service Protection

ID: NIST SP 800-53 Rev. 4 SC-5

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Azure DDoS Protection should be enabled DDoS Protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1620 - Denial Of Service Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1
Web Application Firewall (WAF) should be enabled for Azure Front Door Service service Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1

Resource Availability

ID: NIST SP 800-53 Rev. 4 SC-6

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1621 - Resource Availability Microsoft implements this System and Communications Protection control audit 1.0.0

Boundary Protection

ID: NIST SP 800-53 Rev. 4 SC-7

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Disabled 1.0.1
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.1
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Audit, Deny, Disabled 2.0.0-preview
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Deny, Disabled 1.0.1
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Deny, Disabled 1.0.0
Cognitive Services accounts should disable public network access Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Deny, Disabled 2.0.0
Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit, Deny, Disabled 2.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 2.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Audit, Deny, Disabled 1.1.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1622 - Boundary Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1623 - Boundary Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1624 - Boundary Protection Microsoft implements this System and Communications Protection control audit 1.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be configured for Key Vault Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Audit, Deny, Disabled 1.1.0-preview
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. disabled 3.0.1-preview
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1
Web Application Firewall (WAF) should be enabled for Azure Front Door Service service Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1

Access Points

ID: NIST SP 800-53 Rev. 4 SC-7 (3)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Audit, Disabled 1.0.1
App Configuration should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. AuditIfNotExists, Disabled 1.0.2
Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit, Disabled 2.0.1
Azure API for FHIR should use private link Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Audit, Disabled 1.0.0
Azure Cache for Redis should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Disabled 1.0.0
Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Audit, Deny, Disabled 2.0.0
Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. AuditIfNotExists, Disabled 1.0.0
Azure Event Grid domains should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure Event Grid topics should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Audit, Disabled 1.0.2
Azure File Sync should use private link Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. AuditIfNotExists, Disabled 1.0.0
Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Audit, Deny, Disabled 2.0.0-preview
Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Audit, Deny, Disabled 1.1.0
Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. AuditIfNotExists, Disabled 1.0.0
Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Audit, Deny, Disabled 1.0.1
Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Audit, Disabled 1.0.1
Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Audit, Deny, Disabled 1.0.0
Cognitive Services accounts should disable public network access Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Deny, Disabled 2.0.0
Cognitive Services accounts should restrict network access Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Audit, Deny, Disabled 2.0.0
Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Audit, Disabled 2.0.0
Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Audit, Deny, Disabled 1.1.0
Container registries should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Audit, Disabled 1.0.1
CosmosDB accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Audit, Disabled 1.0.0
Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. AuditIfNotExists, Disabled 1.0.0
Event Hub namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. AuditIfNotExists, Disabled 1.0.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Audit, Disabled 1.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. AuditIfNotExists, Disabled 3.0.0
Microsoft Managed Control 1625 - Boundary Protection | Access Points Microsoft implements this System and Communications Protection control audit 1.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Private endpoint should be configured for Key Vault Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Audit, Deny, Disabled 1.1.0-preview
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MySQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for PostgreSQL servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Disabled 1.0.2
Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. disabled 3.0.1-preview
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage accounts should restrict network access using virtual network rules Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Audit, Deny, Disabled 1.0.1
Storage accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview AuditIfNotExists, Disabled 2.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0
Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1
Web Application Firewall (WAF) should be enabled for Azure Front Door Service service Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Audit, Deny, Disabled 1.0.1

External Telecommunications Services

ID: NIST SP 800-53 Rev. 4 SC-7 (4)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1626 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1627 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1628 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1629 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0
Microsoft Managed Control 1630 - Boundary Protection | External Telecommunications Services Microsoft implements this System and Communications Protection control audit 1.0.0

Deny by Default / Allow by Exception

ID: NIST SP 800-53 Rev. 4 SC-7 (5)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception Microsoft implements this System and Communications Protection control audit 1.0.0

Prevent Split Tunneling for Remote Devices

ID: NIST SP 800-53 Rev. 4 SC-7 (7)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote Devices Microsoft implements this System and Communications Protection control audit 1.0.0

Route Traffic to Authenticated Proxy Servers

ID: NIST SP 800-53 Rev. 4 SC-7 (8)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated Proxy Servers Microsoft implements this System and Communications Protection control audit 1.0.0

Prevent Unauthorized Exfiltration

ID: NIST SP 800-53 Rev. 4 SC-7 (10)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration Microsoft implements this System and Communications Protection control audit 1.0.0

Host-based Protection

ID: NIST SP 800-53 Rev. 4 SC-7 (12)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1635 - Boundary Protection | Host-Based Protection Microsoft implements this System and Communications Protection control audit 1.0.0

Isolation of Security Tools / Mechanisms / Support Components

ID: NIST SP 800-53 Rev. 4 SC-7 (13)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components Microsoft implements this System and Communications Protection control audit 1.0.0

Fail Secure

ID: NIST SP 800-53 Rev. 4 SC-7 (18)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1637 - Boundary Protection | Fail Secure Microsoft implements this System and Communications Protection control audit 1.0.0

Dynamic Isolation / Segregation

ID: NIST SP 800-53 Rev. 4 SC-7 (20)

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation Microsoft implements this System and Communications Protection control audit