Azure Policy Regulatory Compliance controls for Azure Virtual Machines

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Virtual Machines . You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Windows machines should meet requirements for 'Security Settings - Account Policies' 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Cryptography - Cryptographic fundamentals 459 Encrypting data at rest - 459 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Guidelines for System Monitoring - Event logging and auditing 582 Events to be logged - 582 Virtual machines should be connected to a specified workspace 1.1.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Windows web servers should be configured to use secure communication protocols 4.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for Networking - Network design and configuration 1182 Network access controls - 1182 Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Guidelines for Networking - Network design and configuration 1182 Network access controls - 1182 Internet-facing virtual machines should be protected with network security groups 3.0.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Windows web servers should be configured to use secure communication protocols 4.0.0
Guidelines for Gateways - Content filtering 1288 Antivirus scanning - 1288 Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Guidelines for Gateways - Content filtering 1288 Antivirus scanning - 1288 Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
Guidelines for Gateways - Content filtering 1288 Antivirus scanning - 1288 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Guidelines for System Hardening - Operating system hardening 1407 Operating system versions - 1407 System updates on virtual machine scale sets should be installed 3.0.0
Guidelines for System Hardening - Operating system hardening 1407 Operating system versions - 1407 System updates should be installed on your machines 4.0.0
Guidelines for System Hardening - Operating system hardening 1417 Antivirus software - 1417 Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Guidelines for System Hardening - Operating system hardening 1417 Antivirus software - 1417 Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
Guidelines for System Hardening - Operating system hardening 1417 Antivirus software - 1417 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Guidelines for Database Systems - Database servers 1425 Protecting database server contents - 1425 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for System Hardening - Operating system hardening 1490 Application control - 1490 Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Guidelines for System Management - Data backup and restoration 1511 Performing backups - 1511 Audit virtual machines without disaster recovery configured 1.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Audit Linux machines that have accounts without passwords 3.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0

Azure Security Benchmark

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security NS-1 Establish network segmentation boundaries Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Security NS-1 Establish network segmentation boundaries All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Network Security NS-1 Establish network segmentation boundaries Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Security NS-1 Establish network segmentation boundaries Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Network Security NS-3 Deploy firewall at the edge of enterprise network IP Forwarding on your virtual machine should be disabled 3.0.0
Network Security NS-3 Deploy firewall at the edge of enterprise network Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Security NS-3 Deploy firewall at the edge of enterprise network Management ports should be closed on your virtual machines 3.0.0
Network Security NS-7 Simplify network security configuration Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Identity Management IM-3 Manage application identities securely and automatically Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Identity Management IM-6 Use strong authentication controls Authentication to Linux machines should require SSH keys 3.0.0
Privileged Access PA-2 Avoid standing access for accounts and permissions Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit Windows web servers should be configured to use secure communication protocols 4.0.0
Data Protection DP-4 Enable data at rest encryption by default Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Asset Management AM-2 Use only approved services
Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Asset Management AM-5 Use only approved applications in virtual machine Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Asset Management AM-5 Use only approved applications in virtual machine Allowlist rules in your adaptive application control policy should be updated 3.0.0
Logging and Threat Detection LT-1 Enable threat detection capabilities Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Logging and Threat Detection LT-3 Enable logging for security investigation Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Logging and Threat Detection LT-4 Enable network logging for security investigation
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Logging and Threat Detection LT-4 Enable network logging for security investigation
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines 5.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets 4.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines 3.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets 2.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Secure Boot should be enabled on supported Windows virtual machines 3.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: vTPM should be enabled on supported virtual machines 2.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Guest Configuration extension should be installed on your machines 1.0.2
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Linux machines should meet requirements for the Azure compute security baseline 2.0.0
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Posture and Vulnerability Management PV-5 Perform vulnerability assessments A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities [Preview]: Machines should be configured to periodically check for missing system updates 1.0.0-preview
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities [Preview]: System updates should be installed on your machines (powered by Update Center) 1.0.0-preview
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities SQL servers on machines should have vulnerability findings resolved 1.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities System updates on virtual machine scale sets should be installed 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities System updates should be installed on your machines 4.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Vulnerabilities in container security configurations should be remediated 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Endpoint Security ES-2 Use modern anti-malware software Endpoint protection health issues should be resolved on your machines 1.0.0
Endpoint Security ES-2 Use modern anti-malware software Endpoint protection should be installed on your machines 1.0.0
Endpoint Security ES-2 Use modern anti-malware software Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Endpoint Security ES-2 Use modern anti-malware software Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Endpoint Security ES-2 Use modern anti-malware software Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Endpoint Security ES-3 Ensure anti-malware software and signatures are updated Endpoint protection health issues should be resolved on your machines 1.0.0
Backup and Recovery BR-1 Ensure regular automated backups Azure Backup should be enabled for Virtual Machines 3.0.0
Backup and Recovery BR-2 Protect backup and recovery data Azure Backup should be enabled for Virtual Machines 3.0.0
DevOps Security DS-6 Enforce security of workload throughout DevOps lifecycle Vulnerabilities in container security configurations should be remediated 3.0.0

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Azure Security Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network IP Forwarding on your virtual machine should be disabled 3.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Management ports should be closed on your virtual machines 3.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Administrative Templates - Network' 3.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 3.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Network Security 1.11 Use automated tools to monitor network resource configurations and detect changes Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Network Security 1.4 Deny communications with known malicious IP addresses Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Security 1.4 Deny communications with known malicious IP addresses Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Logging and Monitoring 2.2 Configure central security log management Audit Windows machines on which the Log Analytics agent is not connected as expected 2.0.0
Logging and Monitoring 2.2 Configure central security log management The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Logging and Monitoring 2.2 Configure central security log management Virtual machines should have the Log Analytics extension installed 1.0.1
Logging and Monitoring 2.3 Enable audit logging for Azure resources Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Logging and Monitoring 2.4 Collect security logs from operating systems Audit Windows machines on which the Log Analytics agent is not connected as expected 2.0.0
Logging and Monitoring 2.4 Collect security logs from operating systems The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Logging and Monitoring 2.4 Collect security logs from operating systems Virtual machines should have the Log Analytics extension installed 1.0.1
Logging and Monitoring 2.8 Centralize anti-malware logging Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Logging and Monitoring 2.8 Centralize anti-malware logging Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Logging and Monitoring 2.8 Centralize anti-malware logging Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines that have extra accounts in the Administrators group 2.0.0
Identity and Access Control 3.3 Use dedicated administrative accounts Audit Windows machines that have the specified members in the Administrators group 2.0.0
Data Protection 4.8 Encrypt sensitive information at rest [Deprecated]: Unattached disks should be encrypted 1.0.0-deprecated
Data Protection 4.8 Encrypt sensitive information at rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Vulnerability Management 5.1 Run automated vulnerability scanning tools A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Vulnerability Management 5.2 Deploy automated operating system patch management solution System updates on virtual machine scale sets should be installed 3.0.0
Vulnerability Management 5.2 Deploy automated operating system patch management solution System updates should be installed on your machines 4.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in container security configurations should be remediated 3.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Vulnerability Management 5.5 Use a risk-rating process to prioritize the remediation of discovered vulnerabilities Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Inventory and Asset Management 6.10 Implement approved application list Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Inventory and Asset Management 6.8 Use only approved applications Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Inventory and Asset Management 6.9 Use only approved Azure services Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in container security configurations should be remediated 3.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Secure Configuration 7.10 Implement automated configuration monitoring for operating systems Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in container security configurations should be remediated 3.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Secure Configuration 7.4 Maintain secure operating system configurations Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Malware Defense 8.1 Use centrally managed anti-malware software Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Malware Defense 8.1 Use centrally managed anti-malware software Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Malware Defense 8.3 Ensure anti-malware software and signatures are updated Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Data Recovery 9.1 Ensure regular automated back ups Azure Backup should be enabled for Virtual Machines 3.0.0
Data Recovery 9.2 Perform complete system backups and backup any customer managed keys Azure Backup should be enabled for Virtual Machines 3.0.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-5 Separation of Duties Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-5 Separation of Duties Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-5 Separation of Duties Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC-5 Separation of Duties Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC-5 Separation of Duties Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-6 Least Privilege Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-6 Least Privilege Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-6 Least Privilege Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC-6 Least Privilege Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC-6 Least Privilege Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Audit and Accountability AU-3 Content of Audit Records [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU-3 Content of Audit Records Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU-3 Content of Audit Records Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU-12 Audit Generation [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU-12 Audit Generation Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU-12 Audit Generation Virtual machines should be connected to a specified workspace 1.1.0
Configuration Management CM-7(5) Least Functionality | Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-Installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Contingency Planning CP-7 Alternative Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that have accounts without passwords 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have a minimum password age of 1 day 2.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7(3) Boundary Protection | Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7(4) Boundary Protection | External Telecommunications Services Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3(1) Malicious Code Protection | Central Management Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3(1) Malicious Code Protection | Central Management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-4 Information System Monitoring [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
System and Information Integrity SI-4 Information System Monitoring Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
System and Information Integrity SI-4 Information System Monitoring Virtual machines should be connected to a specified workspace 1.1.0

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.3 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" System updates should be installed on your machines 4.0.0
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.4 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.7 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Security Center CIS Microsoft Azure Foundations Benchmark recommendation 2.9 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" Internet-facing virtual machines should be protected with network security groups 3.0.0
Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure that 'OS disk' are encrypted Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'Data disks' are encrypted Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.4 Ensure that only approved extensions are installed Only approved VM extensions should be installed 1.0.0
Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied System updates should be installed on your machines 4.0.0
Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Monitor missing Endpoint Protection in Azure Security Center 3.0.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
5 Logging and Monitoring CIS Microsoft Azure Foundations Benchmark recommendation 5.3 Ensure that Diagnostic Logs are enabled for all services which support it. Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.1 Ensure Virtual Machines are utilizing Managed Disks Audit VMs that do not use managed disks 1.0.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.2 Ensure that 'OS and Data' disks are encrypted with CMK Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.4 Ensure that only approved extensions are installed Only approved VM extensions should be installed 1.0.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied System updates should be installed on your machines 4.0.0
7 Virtual Machines CIS Microsoft Azure Foundations Benchmark recommendation 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Monitor missing Endpoint Protection in Azure Security Center 3.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows web servers should be configured to use secure communication protocols 4.0.0
Access Control AC.1.003 Verify and control/limit connections to and use of external information systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC.1.003 Verify and control/limit connections to and use of external information systems. Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC.2.007 Employ the principle of least privilege, including for specific security functions and privileged accounts. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC.2.013 Monitor and control remote access sessions. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 3.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Guest Configuration extension should be installed on your machines 1.0.2
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Virtual machines should have the Log Analytics extension installed 1.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Virtual machines should have the Log Analytics extension installed 1.0.1
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Virtual machines should have the Log Analytics extension installed 1.0.1
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Linux machines should meet requirements for the Azure compute security baseline 2.0.0
Configuration Management CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Windows machines should meet requirements for 'System Audit Policies - Policy Change' 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Internet-facing virtual machines should be protected with network security groups 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Configuration Management CM.3.069 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that have accounts without passwords 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 3.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Windows web servers should be configured to use secure communication protocols 4.0.0
Incident Response IR.2.093 Detect and report events. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Recovery RE.2.137 Regularly perform and test data back-ups. Audit virtual machines without disaster recovery configured 1.0.0
Recovery RE.2.137 Regularly perform and test data back-ups. Azure Backup should be enabled for Virtual Machines 3.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Audit virtual machines without disaster recovery configured 1.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Azure Backup should be enabled for Virtual Machines 3.0.0
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.2.179 Use encrypted sessions for the management of network devices. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Audit Windows machines that have the specified members in the Administrators group 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. System updates should be installed on your machines 4.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI.1.212 Update malicious code protection mechanisms when new releases are available. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Monitor missing Endpoint Protection in Azure Security Center 3.0.0

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 (12) Account Monitoring / Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.0.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.0.0
Access Control AC-3 Access Enforcement Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-3 Access Enforcement Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control AC-4 Information Flow Enforcement Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control AC-4 Information Flow Enforcement Disk access resources should use private link 1.0.0
Access Control AC-4 Information Flow Enforcement Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 Information Flow Enforcement IP Forwarding on your virtual machine should be disabled 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports should be closed on your virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC-17 Remote Access Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-17 Remote Access Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 Remote Access Disk access resources should use private link 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 (1) Automated Monitoring / Control Disk access resources should use private link 1.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-6 (4) Central Review and Analysis Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-6 (5) Integration / Scanning and Monitoring Capabilities Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Generation Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 Audit Generation Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-12 Audit Generation Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-12 (1) System-wide / Time-correlated Audit Trail Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.0.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management CM-7 Least Functionality Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 Least Functionality Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-10 Software Usage Restrictions Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-10 Software Usage Restrictions Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-11 User-installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-installed Software Allowlist rules in your adaptive application control policy should be updated 3.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-9 Information System Backup Azure Backup should be enabled for Virtual Machines 3.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA-5 (1) Password-based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a minimum password age of 1 day 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC-3 Security Function Isolation Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Communications Protection SC-3 Security Function Isolation Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Communications Protection SC-5 Denial of Service Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 Boundary Protection Disk access resources should use private link 1.0.0
System and Communications Protection SC-7 Boundary Protection Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 Boundary Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 Boundary Protection Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 Boundary Protection Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 (3) Access Points Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 (3) Access Points All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 (3) Access Points Disk access resources should use private link 1.0.0
System and Communications Protection SC-7 (3) Access Points Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 (3) Access Points IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 (3) Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 (3) Access Points Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection SC-7 (3) Access Points Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management OS and data disks should be encrypted with a customer-managed key 3.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection SC-28 (1) Cryptographic Protection Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Information Integrity SI-2 Flaw Remediation A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity SI-3 (1) Central Management Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 (1) Central Management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System and Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System and Information Integrity SI-4 Information System Monitoring Guest Configuration extension should be installed on your machines 1.0.2
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 (12) Account Monitoring / Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.0.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.0.0
Access Control AC-3 Access Enforcement Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-3 Access Enforcement Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control AC-4 Information Flow Enforcement Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control AC-4 Information Flow Enforcement Disk access resources should use private link 1.0.0
Access Control AC-4 Information Flow Enforcement Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 Information Flow Enforcement IP Forwarding on your virtual machine should be disabled 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports should be closed on your virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC-17 Remote Access Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-17 Remote Access Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 Remote Access Disk access resources should use private link 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 (1) Automated Monitoring / Control Disk access resources should use private link 1.0.0
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 Audit Review, Analysis, and Reporting [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Generation Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 Audit Generation Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-12 Audit Generation Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.0.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management CM-7 Least Functionality Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 Least Functionality Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-10 Software Usage Restrictions Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-10 Software Usage Restrictions Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-11 User-installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-installed Software Allowlist rules in your adaptive application control policy should be updated 3.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-9 Information System Backup Azure Backup should be enabled for Virtual Machines 3.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA-5 (1) Password-based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a minimum password age of 1 day 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC-5 Denial of Service Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 Boundary Protection Disk access resources should use private link 1.0.0
System and Communications Protection SC-7 Boundary Protection Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 Boundary Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 Boundary Protection Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 Boundary Protection Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 (3) Access Points Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 (3) Access Points All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 (3) Access Points Disk access resources should use private link 1.0.0
System and Communications Protection SC-7 (3) Access Points Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 (3) Access Points IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 (3) Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 (3) Access Points Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection SC-7 (3) Access Points Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC-8 (1) Cryptographic or Alternate Physical Protection Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management OS and data disks should be encrypted with a customer-managed key 3.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection SC-28 (1) Cryptographic Protection Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Information Integrity SI-2 Flaw Remediation A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity SI-3 (1) Central Management Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 (1) Central Management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System and Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System and Information Integrity SI-4 Information System Monitoring Guest Configuration extension should be installed on your machines 1.0.2
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System and Information Integrity SI-4 Information System Monitoring Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Privilege Management 11180.01c3System.6 - 01.c Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Privilege Management 1143.01c1System.123 - 01.c Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. Management ports should be closed on your virtual machines 3.0.0
Privilege Management 1148.01c2System.78 - 01.c The organization restricts access to privileged functions and all security-relevant information. Windows machines should meet requirements for 'Security Options - Accounts' 3.0.0
Privilege Management 1150.01c2System.10 - 01.c The access control system for the system components storing, processing or transmitting covered information is set with a default "deny-all" setting. Management ports should be closed on your virtual machines 3.0.0
User Authentication for External Connections 1119.01j2Organizational.3 - 01.j Network equipment is checked for unanticipated dial-up capabilities. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
User Authentication for External Connections 1175.01j1Organizational.8 - 01.j Remote access to business information across public networks only takes place after successful identification and authentication. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
User Authentication for External Connections 1179.01j3Organizational.1 - 01.j The information system monitors and controls remote access methods. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Remote Diagnostic and Configuration Port Protection 1192.01l1Organizational.1 - 01.l Access to network equipment is physically protected. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Remote Diagnostic and Configuration Port Protection 1193.01l2Organizational.13 - 01.l Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. Management ports should be closed on your virtual machines 3.0.0
Remote Diagnostic and Configuration Port Protection 1197.01l3Organizational.3 - 01.l The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Segregation in Networks 0805.01m1Organizational.12 - 01.m The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. Internet-facing virtual machines should be protected with network security groups 3.0.0
Segregation in Networks 0806.01m2Organizational.12356 - 01.m The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. Internet-facing virtual machines should be protected with network security groups 3.0.0
Segregation in Networks 0894.01m2Organizational.7 - 01.m Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0809.01n2Organizational.1234 - 01.n Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0810.01n2Organizational.5 - 01.n Transmitted information is secured and, at a minimum, encrypted over open, public networks. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0811.01n2Organizational.6 - 01.n Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0812.01n2Organizational.8 - 01.n Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Connection Control 0814.01n1Organizational.12 - 01.n The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. Internet-facing virtual machines should be protected with network security groups 3.0.0
User Identification and Authentication 11210.01q2Organizational.10 - 01.q Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. Audit Windows machines that have the specified members in the Administrators group 2.0.0
User Identification and Authentication 11211.01q2Organizational.11 - 01.q Signed electronic records shall contain information associated with the signing in human-readable format. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
User Identification and Authentication 1123.01q1System.2 - 01.q Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. Audit Windows machines that have extra accounts in the Administrators group 2.0.0
User Identification and Authentication 1125.01q2System.1 - 01.q Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access). Audit Windows machines that have the specified members in the Administrators group 2.0.0
User Identification and Authentication 1127.01q2System.3 - 01.q Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Audit Logging 1202.09aa1System.1 - 09.aa A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information. System updates on virtual machine scale sets should be installed 3.0.0
Audit Logging 1206.09aa2System.23 - 09.aa Auditing is always available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised,  activation and de-activation of protection systems (e.g., A/V and IDS), activation and deactivation of identification and authentication mechanisms, and creation and deletion of system-level objects. Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Monitoring System Use 12100.09ab2System.15 - 09.ab The organization monitors the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state. Virtual machines should have the Log Analytics extension installed 1.0.1
Monitoring System Use 12101.09ab1Organizational.3 - 09.ab The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Monitoring System Use 12102.09ab1Organizational.4 - 09.ab The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes. Audit Windows machines on which the Log Analytics agent is not connected as expected 2.0.0
Monitoring System Use 1215.09ab2System.7 - 09.ab Auditing and monitoring systems employed by the organization support audit reduction and report generation. Virtual machines should have the Log Analytics extension installed 1.0.1
Monitoring System Use 1216.09ab3System.12 - 09.ab Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Monitoring System Use 1217.09ab3System.3 - 09.ab Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. Audit Windows machines on which the Log Analytics agent is not connected as expected 2.0.0
Segregation of Duties 1232.09c3Organizational.12 - 09.c Access for individuals responsible for administering  access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
Segregation of Duties 1277.09c2Organizational.4 - 09.c The initiation of an event is separated from its authorization to reduce the possibility of collusion. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Deploy default Microsoft IaaSAntimalware extension for Windows Server 1.1.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Controls Against Malicious Code 0201.09j1Organizational.124 - 09.j Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. System updates should be installed on your machines 4.0.0
Back-up 1620.09l1Organizational.8 - 09.l When the backup service is delivered by the third party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. Azure Backup should be enabled for Virtual Machines 3.0.0
Back-up 1625.09l3Organizational.34 - 09.l Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. Azure Backup should be enabled for Virtual Machines 3.0.0
Back-up 1699.09l1Organizational.10 - 09.l Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices. Azure Backup should be enabled for Virtual Machines 3.0.0
Network Controls 0858.09m1Organizational.4 - 09.m The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Network Controls 0858.09m1Organizational.4 - 09.m The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Controls 0858.09m1Organizational.4 - 09.m The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. Windows machines should meet requirements for 'Windows Firewall Properties' 3.0.0
Network Controls 0859.09m1Organizational.78 - 09.m The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Controls 0861.09m2Organizational.67 - 09.m To identify and authenticate devices on local and/or wide area networks, including wireless networks,  the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Security of Network Services 0835.09n1Organizational.1 - 09.n Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Security of Network Services 0835.09n1Organizational.1 - 09.n Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Security of Network Services 0836.09.n2Organizational.1 - 09.n The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Security of Network Services 0885.09n2Organizational.3 - 09.n The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements. [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Security of Network Services 0887.09n2Organizational.5 - 09.n The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Management of Removable Media 0302.09o2Organizational.1 - 09.o The organization protects and controls media containing sensitive information during transport outside of controlled areas. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
On-line Transactions 0945.09y1Organizational.3 - 09.y Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). Audit Windows machines that do not contain the specified certificates in Trusted Root 3.0.0
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Windows machines should meet requirements for 'Security Options - Audit' 3.0.0
Control of Operational Software 0605.10h1System.12 - 10.h Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. Windows machines should meet requirements for 'System Audit Policies - Account Management' 3.0.0
Control of Operational Software 0606.10h2System.1 - 10.h Applications and operating systems are successfully tested for usability, security and impact prior to production. Vulnerabilities in container security configurations should be remediated 3.0.0
Control of Operational Software 0607.10h2System.23 - 10.h The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Control of Operational Software 0607.10h2System.23 - 10.h The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Change Control Procedures 0635.10k1Organizational.12 - 10.k Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0636.10k2Organizational.1 - 10.k The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management (e.g., through policies, standards, processes). Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0637.10k2Organizational.2 - 10.k The organization has developed, documented, and implemented a configuration management plan for the information system. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0638.10k2Organizational.34569 - 10.k Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0639.10k2Organizational.78 - 10.k Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0640.10k2Organizational.1012 - 10.k Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0641.10k2Organizational.11 - 10.k The organization does not use automated updates on critical systems. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0642.10k3Organizational.12 - 10.k The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0643.10k3Organizational.3 - 10.k The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Change Control Procedures 0644.10k3Organizational.4 - 10.k The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Vulnerabilities in container security configurations should be remediated 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Control of Technical Vulnerabilities 0709.10m1Organizational.1 - 10.m Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 3.0.0
Control of Technical Vulnerabilities 0711.10m2Organizational.23 - 10.m A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Control of Technical Vulnerabilities 0713.10m2Organizational.5 - 10.m Patches are tested and evaluated before they are installed. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Control of Technical Vulnerabilities 0714.10m2Organizational.7 - 10.m The technical vulnerability management program is evaluated on a quarterly basis. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Control of Technical Vulnerabilities 0715.10m2Organizational.8 - 10.m Systems are appropriately hardened (e.g., configured with only necessary and secure services, ports and protocols enabled). Vulnerabilities in container security configurations should be remediated 3.0.0
Control of Technical Vulnerabilities 0717.10m3Organizational.2 - 10.m Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Control of Technical Vulnerabilities 0718.10m3Organizational.34 - 10.m The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically) and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Business Continuity and Risk Assessment 1634.12b1Organizational.1 - 12.b The organization identifies the critical business processes requiring business continuity. Audit virtual machines without disaster recovery configured 1.0.0
Business Continuity and Risk Assessment 1637.12b2Organizational.2 - 12.b Business impact analysis are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. Windows machines should meet requirements for 'Security Options - Recovery console' 3.0.0
Business Continuity and Risk Assessment 1638.12b2Organizational.345 - 12.b Business continuity risk assessments (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. Audit virtual machines without disaster recovery configured 1.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.12 Remote Access (AC-17) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control 9.3.1.12 Remote Access (AC-17) Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control 9.3.1.2 Account Management (AC-2) Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control 9.3.1.6 Least Privilege (AC-6) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection 9.3.16.15 Protection of Information at Rest (SC-28) Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection 9.3.16.5 Boundary Protection (SC-7) Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
System and Communications Protection 9.3.16.5 Boundary Protection (SC-7) Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection 9.3.16.5 Boundary Protection (SC-7) All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Windows web servers should be configured to use secure communication protocols 4.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) System updates should be installed on your machines 4.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity 9.3.17.3 Malicious Code Protection (SI-3) Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity 9.3.17.3 Malicious Code Protection (SI-3) Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) Virtual machines should be connected to a specified workspace 1.1.0
Awareness and Training 9.3.3.11 Audit Generation (AU-12) [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Virtual machines should be connected to a specified workspace 1.1.0
Awareness and Training 9.3.3.3 Content of Audit Records (AU-3) [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Awareness and Training 9.3.3.3 Content of Audit Records (AU-3) Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Awareness and Training 9.3.3.3 Content of Audit Records (AU-3) Virtual machines should be connected to a specified workspace 1.1.0
Awareness and Training 9.3.3.6 Audit Review, Analysis, and Reporting (AU-6) [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Awareness and Training 9.3.3.6 Audit Review, Analysis, and Reporting (AU-6) Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Awareness and Training 9.3.3.6 Audit Review, Analysis, and Reporting (AU-6) Virtual machines should be connected to a specified workspace 1.1.0
Configuration Management 9.3.5.11 User-Installed Software (CM-11) Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management 9.3.5.7 Least Functionality (CM-7) Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Contingency Planning 9.3.6.6 Alternate Processing Site (CP-7) Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Linux machines that have accounts without passwords 3.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have a minimum password age of 1 day 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.1.1 Policy on the use of cryptographic controls Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Operations security 12.4.1 Event Logging [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Operations security 12.4.1 Event Logging Dependency agent should be enabled for listed virtual machine images 2.0.0
Operations security 12.4.1 Event Logging Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images 2.0.0
Operations security 12.4.1 Event Logging Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Operations security 12.4.3 Administrator and operator logs [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Operations security 12.4.3 Administrator and operator logs Dependency agent should be enabled for listed virtual machine images 2.0.0
Operations security 12.4.3 Administrator and operator logs Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images 2.0.0
Operations security 12.4.3 Administrator and operator logs Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Operations security 12.4.4 Clock Synchronization [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Operations security 12.4.4 Clock Synchronization Dependency agent should be enabled for listed virtual machine images 2.0.0
Operations security 12.4.4 Clock Synchronization Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images 2.0.0
Operations security 12.4.4 Clock Synchronization Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Operations security 12.5.1 Installation of software on operational systems Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Operations security 12.6.1 Management of technical vulnerabilities A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Operations security 12.6.1 Management of technical vulnerabilities Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Operations security 12.6.1 Management of technical vulnerabilities System updates should be installed on your machines 4.0.0
Operations security 12.6.1 Management of technical vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Operations security 12.6.2 Restrictions on software installation Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Communications security 13.1.1 Network controls All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access control 9.1.2 Access to networks and network services Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access control 9.1.2 Access to networks and network services Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access control 9.1.2 Access to networks and network services Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access control 9.1.2 Access to networks and network services Audit Linux machines that have accounts without passwords 3.0.0
Access control 9.1.2 Access to networks and network services Audit VMs that do not use managed disks 1.0.0
Access control 9.1.2 Access to networks and network services Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access control 9.1.2 Access to networks and network services Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access control 9.2.4 Management of secret authentication information of users Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access control 9.2.4 Management of secret authentication information of users Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access control 9.2.4 Management of secret authentication information of users Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Access control 9.2.4 Management of secret authentication information of users Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access control 9.4.3 Password management system Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access control 9.4.3 Password management system Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access control 9.4.3 Password management system Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have a minimum password age of 1 day 2.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Access control 9.4.3 Password management system Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Access control 9.4.3 Password management system Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0

New Zealand ISM Restricted

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - New Zealand ISM Restricted. For more information about this compliance standard, see New Zealand ISM Restricted.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Information security monitoring ISM-3 6.2.5 Conducting vulnerability assessments A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Information security monitoring ISM-4 6.2.6 Resolving vulnerabilities SQL servers on machines should have vulnerability findings resolved 1.0.0
Information security monitoring ISM-4 6.2.6 Resolving vulnerabilities Vulnerabilities in container security configurations should be remediated 3.0.0
Information security monitoring ISM-4 6.2.6 Resolving vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Information security monitoring ISM-4 6.2.6 Resolving vulnerabilities Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Information security monitoring ISM-7 6.4.5 Availability requirements Audit virtual machines without disaster recovery configured 1.0.0
Product Security PRS-5 12.4.4 Patching vulnerabilities in products System updates on virtual machine scale sets should be installed 3.0.0
Product Security PRS-5 12.4.4 Patching vulnerabilities in products System updates should be installed on your machines 4.0.0
Software security SS-2 14.1.8 Developing hardened SOEs Management ports should be closed on your virtual machines 3.0.0
Software security SS-3 14.1.9 Maintaining hardened SOEs Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Software security SS-3 14.1.9 Maintaining hardened SOEs Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Software security SS-3 14.1.9 Maintaining hardened SOEs Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Software security SS-3 14.1.9 Maintaining hardened SOEs Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Software security SS-3 14.1.9 Maintaining hardened SOEs Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Software security SS-5 14.2.4 Application Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Software security SS-5 14.2.4 Application Whitelisting Allowlist rules in your adaptive application control policy should be updated 3.0.0
Access Control and Passwords AC-4 16.1.40 Password selection policy Audit Linux machines that have accounts without passwords 3.0.0
Access Control and Passwords AC-4 16.1.40 Password selection policy Windows machines should meet requirements for 'Security Settings - Account Policies' 3.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management Audit Windows machines that have extra accounts in the Administrators group 2.0.0
Access Control and Passwords AC-11 16.4.30 Privileged Access Management Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control and Passwords AC-13 16.5.10 Authentication Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control and Passwords AC-17 16.6.9 Events to be logged Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Access Control and Passwords AC-17 16.6.9 Events to be logged Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Cryptography CR-3 17.1.46 Reducing storage and physical transfer requirements Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Cryptography CR-7 17.4.16 Using TLS Windows web servers should be configured to use secure communication protocols 4.0.0
Cryptography CR-9 17.5.7 Authentication mechanisms Authentication to Linux machines should require SSH keys 3.0.0
Cryptography CR-14 17.9.25 Contents of KMPs IP Forwarding on your virtual machine should be disabled 3.0.0
Gateway security GS-2 19.1.11 Using Gateways Internet-facing virtual machines should be protected with network security groups 3.0.0
Gateway security GS-3 19.1.12 Configuration of Gateways All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Gateway security GS-5 19.1.23 Testing of Gateways Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 (12) Account Monitoring for Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.0.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.0.0
Access Control AC-3 Access Enforcement Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-3 Access Enforcement Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control AC-4 Information Flow Enforcement Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control AC-4 Information Flow Enforcement Disk access resources should use private link 1.0.0
Access Control AC-4 Information Flow Enforcement Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 Information Flow Enforcement IP Forwarding on your virtual machine should be disabled 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports should be closed on your virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 (3) Dynamic Information Flow Control Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 (3) Dynamic Information Flow Control Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC-17 Remote Access Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-17 Remote Access Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 Remote Access Disk access resources should use private link 1.0.0
Access Control AC-17 (1) Monitoring and Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Access Control AC-17 (1) Monitoring and Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Access Control AC-17 (1) Monitoring and Control Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control AC-17 (1) Monitoring and Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Access Control AC-17 (1) Monitoring and Control Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 (1) Monitoring and Control Disk access resources should use private link 1.0.0
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-6 (4) Central Review and Analysis Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-12 Audit Record Generation [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Record Generation [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Record Generation Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-12 Audit Record Generation Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 Audit Record Generation Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 Audit Record Generation Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-12 Audit Record Generation Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Guest Configuration extension should be installed on your machines 1.0.2
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.0.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management CM-7 Least Functionality Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 Least Functionality Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (5) Authorized Software ??? Allow-by-exception Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (5) Authorized Software ??? Allow-by-exception Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-10 Software Usage Restrictions Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-10 Software Usage Restrictions Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-11 User-installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-installed Software Allowlist rules in your adaptive application control policy should be updated 3.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-9 System Backup Azure Backup should be enabled for Virtual Machines 3.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identification and Authentication IA-5 Authenticator Management Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA-5 (1) Password-based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have a minimum password age of 1 day 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC-3 Security Function Isolation Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Communications Protection SC-3 Security Function Isolation Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Communications Protection SC-5 Denial-of-service Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 Boundary Protection Disk access resources should use private link 1.0.0
System and Communications Protection SC-7 Boundary Protection Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 Boundary Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 Boundary Protection Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 Boundary Protection Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 (3) Access Points Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 (3) Access Points All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 (3) Access Points Disk access resources should use private link 1.0.0
System and Communications Protection SC-7 (3) Access Points Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 (3) Access Points IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 (3) Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 (3) Access Points Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection SC-7 (3) Access Points Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC-8 (1) Cryptographic Protection Windows web servers should be configured to use secure communication protocols 4.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management OS and data disks should be encrypted with a customer-managed key 3.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection SC-28 (1) Cryptographic Protection Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Information Integrity SI-2 Flaw Remediation A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity SI-4 System Monitoring [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System and Information Integrity SI-4 System Monitoring [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System and Information Integrity SI-4 System Monitoring Guest Configuration extension should be installed on your machines 1.0.2
System and Information Integrity SI-4 System Monitoring Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System and Information Integrity SI-4 System Monitoring Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System and Information Integrity SI-4 System Monitoring Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

NZ ISM Restricted v3.5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NZ ISM Restricted v3.5. For more information about this compliance standard, see NZ ISM Restricted v3.5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control and Passwords NZISM Security Benchmark AC-13 16.5.10 Authentication Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Access Control and Passwords NZISM Security Benchmark AC-18 16.6.9 Events to be logged Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Access Control and Passwords NZISM Security Benchmark AC-18 16.6.9 Events to be logged Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Access Control and Passwords NZISM Security Benchmark AC-18 16.6.9 Events to be logged Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Cryptography NZISM Security Benchmark CR-10 17.5.7 Authentication mechanisms Authentication to Linux machines should require SSH keys 3.0.0
Cryptography NZISM Security Benchmark CR-15 17.9.25 Contents of KMPs IP Forwarding on your virtual machine should be disabled 3.0.0
Cryptography NZISM Security Benchmark CR-3 17.1.53 Reducing storage and physical transfer requirements Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Cryptography NZISM Security Benchmark CR-8 17.4.16 Using TLS Windows web servers should be configured to use secure communication protocols 4.0.0
Gateway security NZISM Security Benchmark GS-2 19.1.11 Using Gateways Internet-facing virtual machines should be protected with network security groups 3.0.0
Gateway security NZISM Security Benchmark GS-2 19.1.11 Using Gateways Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Gateway security NZISM Security Benchmark GS-3 19.1.12 Configuration of Gateways All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Gateway security NZISM Security Benchmark GS-5 19.1.23 Testing of Gateways Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Information security monitoring NZISM Security Benchmark ISM-3 6.2.5 Conducting vulnerability assessments A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Information security monitoring NZISM Security Benchmark ISM-4 6.2.6 Resolving vulnerabilities SQL servers on machines should have vulnerability findings resolved 1.0.0
Information security monitoring NZISM Security Benchmark ISM-4 6.2.6 Resolving vulnerabilities Vulnerabilities in container security configurations should be remediated 3.0.0
Information security monitoring NZISM Security Benchmark ISM-4 6.2.6 Resolving vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Information security monitoring NZISM Security Benchmark ISM-4 6.2.6 Resolving vulnerabilities Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Information security monitoring NZISM Security Benchmark ISM-7 6.4.5 Availability requirements Audit virtual machines without disaster recovery configured 1.0.0
Product Security NZISM Security Benchmark PRS-5 12.4.4 Patching vulnerabilities in products System updates on virtual machine scale sets should be installed 3.0.0
Product Security NZISM Security Benchmark PRS-5 12.4.4 Patching vulnerabilities in products System updates should be installed on your machines 4.0.0
Software security NZISM Security Benchmark SS-2 14.1.8 Developing hardened SOEs Management ports should be closed on your virtual machines 3.0.0
Software security NZISM Security Benchmark SS-3 14.1.9 Maintaining hardened SOEs Endpoint protection health issues should be resolved on your machines 1.0.0
Software security NZISM Security Benchmark SS-3 14.1.9 Maintaining hardened SOEs Endpoint protection should be installed on your machines 1.0.0
Software security NZISM Security Benchmark SS-3 14.1.9 Maintaining hardened SOEs Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Software security NZISM Security Benchmark SS-3 14.1.9 Maintaining hardened SOEs Guest Configuration extension should be installed on your machines 1.0.2
Software security NZISM Security Benchmark SS-3 14.1.9 Maintaining hardened SOEs Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Software security NZISM Security Benchmark SS-3 14.1.9 Maintaining hardened SOEs Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Software security NZISM Security Benchmark SS-3 14.1.9 Maintaining hardened SOEs Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Software security NZISM Security Benchmark SS-3 14.1.9 Maintaining hardened SOEs Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Software security NZISM Security Benchmark SS-5 14.2.4 Application Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Software security NZISM Security Benchmark SS-5 14.2.4 Application Whitelisting Allowlist rules in your adaptive application control policy should be updated 3.0.0

PCI DSS 3.2.1

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 1 PCI DSS v3.2.1 1.3.2 PCI DSS requirement 1.3.2 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Requirement 1 PCI DSS v3.2.1 1.3.4 PCI DSS requirement 1.3.4 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Requirement 1 PCI DSS v3.2.1 1.3.4 PCI DSS requirement 1.3.4 Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Requirement 10 PCI DSS v3.2.1 10.5.4 PCI DSS requirement 10.5.4 Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Requirement 11 PCI DSS v3.2.1 11.2.1 PCI DSS requirement 11.2.1 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 11 PCI DSS v3.2.1 11.2.1 PCI DSS requirement 11.2.1 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 11 PCI DSS v3.2.1 11.2.1 PCI DSS requirement 11.2.1 System updates should be installed on your machines 4.0.0
Requirement 11 PCI DSS v3.2.1 11.2.1 PCI DSS requirement 11.2.1 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Requirement 3 PCI DSS v3.2.1 3.4 PCI DSS requirement 3.4 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Requirement 4 PCI DSS v3.2.1 4.1 PCI DSS requirement 4.1 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Requirement 5 PCI DSS v3.2.1 5.1 PCI DSS requirement 5.1 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 5 PCI DSS v3.2.1 5.1 PCI DSS requirement 5.1 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 5 PCI DSS v3.2.1 5.1 PCI DSS requirement 5.1 System updates should be installed on your machines 4.0.0
Requirement 5 PCI DSS v3.2.1 5.1 PCI DSS requirement 5.1 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Requirement 6 PCI DSS v3.2.1 6.2 PCI DSS requirement 6.2 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 6 PCI DSS v3.2.1 6.2 PCI DSS requirement 6.2 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 6 PCI DSS v3.2.1 6.2 PCI DSS requirement 6.2 System updates should be installed on your machines 4.0.0
Requirement 6 PCI DSS v3.2.1 6.2 PCI DSS requirement 6.2 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Requirement 6 PCI DSS v3.2.1 6.5.3 PCI DSS requirement 6.5.3 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Requirement 6 PCI DSS v3.2.1 6.6 PCI DSS requirement 6.6 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 6 PCI DSS v3.2.1 6.6 PCI DSS requirement 6.6 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 6 PCI DSS v3.2.1 6.6 PCI DSS requirement 6.6 System updates should be installed on your machines 4.0.0
Requirement 6 PCI DSS v3.2.1 6.6 PCI DSS requirement 6.6 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Requirement 8 PCI DSS v3.2.1 8.2.3 PCI DSS requirement 8.2.3 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Requirement 8 PCI DSS v3.2.1 8.2.3 PCI DSS requirement 8.2.3 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Requirement 8 PCI DSS v3.2.1 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Requirement 8 PCI DSS v3.2.1 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Requirement 8 PCI DSS v3.2.1 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Requirement 8 PCI DSS v3.2.1 8.2.3 PCI DSS requirement 8.2.3 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Requirement 8 PCI DSS v3.2.1 8.2.5 PCI DSS requirement 8.2.5 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Requirement 8 PCI DSS v3.2.1 8.2.5 PCI DSS requirement 8.2.5 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Requirement 8 PCI DSS v3.2.1 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Requirement 8 PCI DSS v3.2.1 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Requirement 8 PCI DSS v3.2.1 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Requirement 8 PCI DSS v3.2.1 8.2.5 PCI DSS requirement 8.2.5 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0

Reserve Bank of India - IT Framework for NBFC

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
IT Governance RBI IT Framework 1 IT Governance-1 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
IT Governance RBI IT Framework 1 IT Governance-1 SQL servers on machines should have vulnerability findings resolved 1.0.0
IT Governance RBI IT Framework 1 IT Governance-1 System updates on virtual machine scale sets should be installed 3.0.0
IT Governance RBI IT Framework 1 IT Governance-1 System updates should be installed on your machines 4.0.0
IT Governance RBI IT Framework 1 IT Governance-1 Vulnerabilities in container security configurations should be remediated 3.0.0
IT Governance RBI IT Framework 1 IT Governance-1 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
IT Governance RBI IT Framework 1 IT Governance-1 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
IT Governance RBI IT Framework 1.1 IT Governance-1.1 IP Forwarding on your virtual machine should be disabled 3.0.0
IT Governance RBI IT Framework 1.1 IT Governance-1.1 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
IT Governance RBI IT Framework 1.1 IT Governance-1.1 Management ports should be closed on your virtual machines 3.0.0
IT Policy RBI IT Framework 2 IT Policy-2 Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
IT Policy RBI IT Framework 2 IT Policy-2 Allowlist rules in your adaptive application control policy should be updated 3.0.0
Information and Cyber Security RBI IT Framework 3.1.b Segregation of Functions-3.1 [Preview]: Secure Boot should be enabled on supported Windows virtual machines 3.0.0-preview
Information and Cyber Security RBI IT Framework 3.1.b Segregation of Functions-3.1 [Preview]: vTPM should be enabled on supported virtual machines 2.0.0-preview
Information and Cyber Security RBI IT Framework 3.1.b Segregation of Functions-3.1 Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Information and Cyber Security RBI IT Framework 3.1.c Role based Access Control-3.1 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Information and Cyber Security RBI IT Framework 3.1.g Trails-3.1 [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Information and Cyber Security RBI IT Framework 3.1.g Trails-3.1 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Information and Cyber Security RBI IT Framework 3.1.g Trails-3.1 [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Information and Cyber Security RBI IT Framework 3.1.g Trails-3.1 Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Information and Cyber Security RBI IT Framework 3.1.g Trails-3.1 Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Information and Cyber Security RBI IT Framework 3.1.g Trails-3.1 Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Information and Cyber Security RBI IT Framework 3.1.g Trails-3.1 The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Information and Cyber Security RBI IT Framework 3.1.g Trails-3.1 Virtual machines should have the Log Analytics extension installed 1.0.1
Information and Cyber Security RBI IT Framework 3.1.h Public Key Infrastructure (PKI)-3.1 Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption 2.0.0
Information and Cyber Security RBI IT Framework 3.1.h Public Key Infrastructure (PKI)-3.1 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 SQL servers on machines should have vulnerability findings resolved 1.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 System updates on virtual machine scale sets should be installed 3.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 System updates should be installed on your machines 4.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 Vulnerabilities in container security configurations should be remediated 3.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Information and Cyber Security RBI IT Framework 3.3 Vulnerability Management-3.3 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
IT Operations RBI IT Framework 4.2 IT Operations-4.2 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
IT Operations RBI IT Framework 4.4.a IT Operations-4.4 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
IT Operations RBI IT Framework 4.4.b MIS For Top Management-4.4 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
IS Audit RBI IT Framework 5 Policy for Information System Audit (IS Audit)-5 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
IS Audit RBI IT Framework 5 Policy for Information System Audit (IS Audit)-5 Internet-facing virtual machines should be protected with network security groups 3.0.0
IS Audit RBI IT Framework 5 Policy for Information System Audit (IS Audit)-5 IP Forwarding on your virtual machine should be disabled 3.0.0
IS Audit RBI IT Framework 5 Policy for Information System Audit (IS Audit)-5 Non-internet-facing virtual machines should be protected with network security groups 3.0.0
IS Audit RBI IT Framework 5.2 Coverage-5.2 Azure Backup should be enabled for Virtual Machines 3.0.0
Business Continuity Planning RBI IT Framework 6 Business Continuity Planning (BCP) and Disaster Recovery-6 Audit virtual machines without disaster recovery configured 1.0.0
Business Continuity Planning RBI IT Framework 6 Business Continuity Planning (BCP) and Disaster Recovery-6 Azure Backup should be enabled for Virtual Machines 3.0.0
Business Continuity Planning RBI IT Framework 6.2 Recovery strategy / Contingency Plan-6.2 Audit virtual machines without disaster recovery configured 1.0.0
Business Continuity Planning RBI IT Framework 6.2 Recovery strategy / Contingency Plan-6.2 Azure Backup should be enabled for Virtual Machines 3.0.0
Business Continuity Planning RBI IT Framework 6.3 Recovery strategy / Contingency Plan-6.3 Azure Backup should be enabled for Virtual Machines 3.0.0
Business Continuity Planning RBI IT Framework 6.4 Recovery strategy / Contingency Plan-6.4 Audit virtual machines without disaster recovery configured 1.0.0

RMIT Malaysia

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Datacenter Operations RMiT 10.27 Datacenter Operations - 10.27 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets 3.0.1
Datacenter Operations RMiT 10.27 Datacenter Operations - 10.27 Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Datacenter Operations RMiT 10.30 Datacenter Operations - 10.30 Azure Backup should be enabled for Virtual Machines 3.0.0
Network Resilience RMiT 10.33 Network Resilience - 10.33 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Network Resilience RMiT 10.33 Network Resilience - 10.33 Configure managed disks to disable public network access 2.0.0
Network Resilience RMiT 10.33 Network Resilience - 10.33 Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Resilience RMiT 10.33 Network Resilience - 10.33 IP Forwarding on your virtual machine should be disabled 3.0.0
Network Resilience RMiT 10.33 Network Resilience - 10.33 Managed disks should disable public network access 2.0.0
Network Resilience RMiT 10.33 Network Resilience - 10.33 Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Network Resilience RMiT 10.33 Network Resilience - 10.33 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Network Resilience RMiT 10.35 Network Resilience - 10.35 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets 3.0.1
Cloud Services RMiT 10.49 Cloud Services - 10.49 Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Cloud Services RMiT 10.49 Cloud Services - 10.49 Management ports should be closed on your virtual machines 3.0.0
Cloud Services RMiT 10.51 Cloud Services - 10.51 Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Cloud Services RMiT 10.51 Cloud Services - 10.51 Audit virtual machines without disaster recovery configured 1.0.0
Cloud Services RMiT 10.53 Cloud Services - 10.53 Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption 2.0.0
Cloud Services RMiT 10.53 Cloud Services - 10.53 OS and data disks should be encrypted with a customer-managed key 3.0.0
Access Control RMiT 10.54 Access Control - 10.54 Guest Configuration extension should be installed on your machines 1.0.2
Access Control RMiT 10.54 Access Control - 10.54 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control RMiT 10.54 Access Control - 10.54 Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Access Control RMiT 10.61 Access Control - 10.61 Guest Configuration extension should be installed on your machines 1.0.2
Access Control RMiT 10.61 Access Control - 10.61 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control RMiT 10.61 Access Control - 10.61 Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Patch and End-of-Life System Management RMiT 10.63 Patch and End-of-Life System Management - 10.63 Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Patch and End-of-Life System Management RMiT 10.63 Patch and End-of-Life System Management - 10.63 System updates on virtual machine scale sets should be installed 3.0.0
Patch and End-of-Life System Management RMiT 10.65 Patch and End-of-Life System Management - 10.65 System updates should be installed on your machines 4.0.0
Patch and End-of-Life System Management RMiT 10.65 Patch and End-of-Life System Management - 10.65 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Security of Digital Services RMiT 10.66 Security of Digital Services - 10.66 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines 3.0.1
Security of Digital Services RMiT 10.66 Security of Digital Services - 10.66 Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Security of Digital Services RMiT 10.66 Security of Digital Services - 10.66 The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Security of Digital Services RMiT 10.66 Security of Digital Services - 10.66 Virtual machines should have the Log Analytics extension installed 1.0.1
Data Loss Prevention (DLP) RMiT 11.15 Data Loss Prevention (DLP) - 11.15 Configure managed disks to disable public network access 2.0.0
Data Loss Prevention (DLP) RMiT 11.15 Data Loss Prevention (DLP) - 11.15 Managed disks should disable public network access 2.0.0
Data Loss Prevention (DLP) RMiT 11.15 Data Loss Prevention (DLP) - 11.15 Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption 2.0.0
Security Operations Centre (SOC) RMiT 11.17 Security Operations Centre (SOC) - 11.17 Allowlist rules in your adaptive application control policy should be updated 3.0.0
Security Operations Centre (SOC) RMiT 11.17 Security Operations Centre (SOC) - 11.17 Allowlist rules in your adaptive application control policy should be updated 3.0.0
Security Operations Centre (SOC) RMiT 11.17 Security Operations Centre (SOC) - 11.17 Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Security Operations Centre (SOC) RMiT 11.17 Security Operations Centre (SOC) - 11.17 Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Security Operations Centre (SOC) RMiT 11.18 Security Operations Centre (SOC) - 11.18 Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Security Operations Centre (SOC) RMiT 11.18 Security Operations Centre (SOC) - 11.18 Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Security Operations Centre (SOC) RMiT 11.18 Security Operations Centre (SOC) - 11.18 Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Security Operations Centre (SOC) RMiT 11.18 Security Operations Centre (SOC) - 11.18 Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Security Operations Centre (SOC) RMiT 11.18 Security Operations Centre (SOC) - 11.18 Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Security Operations Centre (SOC) RMiT 11.18 Security Operations Centre (SOC) - 11.18 Resource logs in Virtual Machine Scale Sets should be enabled 2.1.0
Cyber Risk Management RMiT 11.2 Cyber Risk Management - 11.2 Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
Cyber Risk Management RMiT 11.2 Cyber Risk Management - 11.2 Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
Security Operations Centre (SOC) RMiT 11.20 Security Operations Centre (SOC) - 11.20 Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
Security Operations Centre (SOC) RMiT 11.20 Security Operations Centre (SOC) - 11.20 Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
Cyber Risk Management RMiT 11.4 Cyber Risk Management - 11.4 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location 9.0.0
Cyber Risk Management RMiT 11.4 Cyber Risk Management - 11.4 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location 9.0.0
Cyber Risk Management RMiT 11.4 Cyber Risk Management - 11.4 Only approved VM extensions should be installed 1.0.0
Cyber Risk Management RMiT 11.4 Cyber Risk Management - 11.4 Only approved VM extensions should be installed 1.0.0
Cybersecurity Operations RMiT 11.8 Cybersecurity Operations - 11.8 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.2 Control Measures on Cybersecurity - Appendix 5.2 Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.2 Control Measures on Cybersecurity - Appendix 5.2 Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Internet-facing virtual machines should be protected with network security groups 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 IP Forwarding on your virtual machine should be disabled 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Control Measures on Cybersecurity RMiT Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Vulnerabilities in container security configurations should be remediated 3.0.0

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Data in transit protection 1 Data in transit protection Windows web servers should be configured to use secure communication protocols 4.0.0
Identity and authentication 10 Identity and authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.0.0
Identity and authentication 10 Identity and authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.0.0
Identity and authentication 10 Identity and authentication Audit Linux machines that allow remote connections from accounts without passwords 3.0.0
Identity and authentication 10 Identity and authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.0.0
Identity and authentication 10 Identity and authentication Audit Linux machines that have accounts without passwords 3.0.0
Identity and authentication 10 Identity and authentication Audit VMs that do not use managed disks 1.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that allow re-use of the previous 24 passwords 2.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have a maximum password age of 70 days 2.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have a minimum password age of 1 day 2.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identity and authentication 10 Identity and authentication Audit Windows machines that do not restrict the minimum password length to 14 characters 2.0.0
Identity and authentication 10 Identity and authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.0.0
Identity and authentication 10 Identity and authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identity and authentication 10 Identity and authentication Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
External interface protection 11 External interface protection Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
External interface protection 11 External interface protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
External interface protection 11 External interface protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
External interface protection 11 External interface protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
External interface protection 11 External interface protection Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Asset protection and resilience 2.3 Data at rest protection Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Operational security 5.2 Vulnerability management A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Operational security 5.2 Vulnerability management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Operational security 5.2 Vulnerability management System updates on virtual machine scale sets should be installed 3.0.0
Operational security 5.2 Vulnerability management System updates should be installed on your machines 4.0.0
Operational security 5.2 Vulnerability management Vulnerabilities in security configuration on your machines should be remediated 3.0.0
Operational security 5.2 Vulnerability management Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Operational security 5.3 Protective Monitoring Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Operational security 5.3 Protective Monitoring Audit virtual machines without disaster recovery configured 1.0.0

Next steps