Azure Policy Regulatory Compliance controls for Azure Virtual Machines

Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets ✔️ Uniform scale sets

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Virtual Machines . You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 415 User identification - 415 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for System Hardening - Authentication hardening 421 Single-factor authentication - 421 Windows machines should meet requirements for 'Security Settings - Account Policies' 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 445 Privileged access to systems - 445 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Cryptography - Cryptographic fundamentals 459 Encrypting data at rest - 459 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Guidelines for System Monitoring - Event logging and auditing 582 Events to be logged - 582 Virtual machines should be connected to a specified workspace 1.1.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Cryptography - Transport Layer Security 1139 Using Transport Layer Security - 1139 Windows machines should be configured to use secure communication protocols 4.1.1
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for Networking - Network design and configuration 1182 Network access controls - 1182 Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Guidelines for Networking - Network design and configuration 1182 Network access controls - 1182 Internet-facing virtual machines should be protected with network security groups 3.0.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Database Systems - Database servers 1277 Communications between database servers and web servers - 1277 Windows machines should be configured to use secure communication protocols 4.1.1
Guidelines for Gateways - Content filtering 1288 Antivirus scanning - 1288 Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Guidelines for Gateways - Content filtering 1288 Antivirus scanning - 1288 Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
Guidelines for Gateways - Content filtering 1288 Antivirus scanning - 1288 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Guidelines for System Management - System administration 1386 Restriction of management traffic flows - 1386 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Guidelines for System Hardening - Operating system hardening 1407 Operating system versions - 1407 System updates on virtual machine scale sets should be installed 3.0.0
Guidelines for System Hardening - Operating system hardening 1407 Operating system versions - 1407 System updates should be installed on your machines 4.0.0
Guidelines for System Hardening - Operating system hardening 1417 Antivirus software - 1417 Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Guidelines for System Hardening - Operating system hardening 1417 Antivirus software - 1417 Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
Guidelines for System Hardening - Operating system hardening 1417 Antivirus software - 1417 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Guidelines for Database Systems - Database servers 1425 Protecting database server contents - 1425 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for System Hardening - Operating system hardening 1490 Application control - 1490 Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerabilities in container security configurations should be remediated 3.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 1503 Standard access to systems - 1503 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 1507 Privileged access to systems - 1507 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Audit Windows machines that have the specified members in the Administrators group 2.0.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Guidelines for Personnel Security - Access to systems and their resources 1508 Privileged access to systems - 1508 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Guidelines for System Management - Data backup and restoration 1511 Performing backups - 1511 Audit virtual machines without disaster recovery configured 1.0.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Audit Linux machines that have accounts without passwords 3.1.0
Guidelines for System Hardening - Authentication hardening 1546 Authenticating to systems - 1546 Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-5 Separation of Duties Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-5 Separation of Duties Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-5 Separation of Duties Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC-5 Separation of Duties Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC-5 Separation of Duties Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-6 Least Privilege Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-6 Least Privilege Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-6 Least Privilege Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC-6 Least Privilege Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC-6 Least Privilege Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17(1) Remote Access | Automated Monitoring / Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Audit and Accountability AU-3 Content of Audit Records [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU-3 Content of Audit Records Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU-3 Content of Audit Records Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU-12 Audit Generation [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU-12 Audit Generation Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU-12 Audit Generation Virtual machines should be connected to a specified workspace 1.1.0
Configuration Management CM-7(5) Least Functionality | Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-Installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Contingency Planning CP-7 Alternative Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that have accounts without passwords 3.1.0
Identification and Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication IA-5(1) Authenticator Management | Password-Based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7(3) Boundary Protection | Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7(4) Boundary Protection | External Telecommunications Services Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-8(1) Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.1.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3(1) Malicious Code Protection | Central Management Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3(1) Malicious Code Protection | Central Management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-4 Information System Monitoring [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
System and Information Integrity SI-4 Information System Monitoring Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
System and Information Integrity SI-4 Information System Monitoring Virtual machines should be connected to a specified workspace 1.1.0

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
2 Security Center 2.10 Ensure ASC Default policy setting "Monitor Vulnerability Assessment" is not "Disabled" A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
2 Security Center 2.12 Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled" Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
2 Security Center 2.13 Ensure ASC Default policy setting "Monitor Adaptive Application Whitelisting" is not "Disabled" Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
2 Security Center 2.3 Ensure ASC Default policy setting "Monitor System Updates" is not "Disabled" System updates should be installed on your machines 4.0.0
2 Security Center 2.4 Ensure ASC Default policy setting "Monitor OS Vulnerabilities" is not "Disabled" Vulnerabilities in security configuration on your machines should be remediated 3.1.0
2 Security Center 2.5 Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled" Monitor missing Endpoint Protection in Azure Security Center 3.0.0
2 Security Center 2.6 Ensure ASC Default policy setting "Monitor Disk Encryption" is not "Disabled" Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
2 Security Center 2.7 Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
2 Security Center 2.9 Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" Internet-facing virtual machines should be protected with network security groups 3.0.0
7 Virtual Machines 7.1 Ensure that 'OS disk' are encrypted Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
7 Virtual Machines 7.2 Ensure that 'Data disks' are encrypted Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
7 Virtual Machines 7.4 Ensure that only approved extensions are installed Only approved VM extensions should be installed 1.0.0
7 Virtual Machines 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied System updates should be installed on your machines 4.0.0
7 Virtual Machines 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Monitor missing Endpoint Protection in Azure Security Center 3.0.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
7 Virtual Machines 7.1 Ensure Virtual Machines are utilizing Managed Disks Audit VMs that do not use managed disks 1.0.0
7 Virtual Machines 7.2 Ensure that 'OS and Data' disks are encrypted with CMK Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
7 Virtual Machines 7.4 Ensure that only approved extensions are installed Only approved VM extensions should be installed 1.0.0
7 Virtual Machines 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied System updates should be installed on your machines 4.0.0
7 Virtual Machines 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Monitor missing Endpoint Protection in Azure Security Center 3.0.0

CIS Microsoft Azure Foundations Benchmark 1.4.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v1.4.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
7 Virtual Machines 7.1 Ensure Virtual Machines are utilizing Managed Disks Audit VMs that do not use managed disks 1.0.0
7 Virtual Machines 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
7 Virtual Machines 7.4 Ensure that Only Approved Extensions Are Installed Only approved VM extensions should be installed 1.0.0
7 Virtual Machines 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied System updates should be installed on your machines 4.0.0
7 Virtual Machines 7.6 Ensure that the endpoint protection for all Virtual Machines is installed Monitor missing Endpoint Protection in Azure Security Center 3.0.0

CIS Microsoft Azure Foundations Benchmark 2.0.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
2.1 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' Machines should be configured to periodically check for missing system updates 3.7.0
6 6.1 Ensure that RDP access from the Internet is evaluated and restricted Management ports should be closed on your virtual machines 3.0.0
6 6.2 Ensure that SSH access from the Internet is evaluated and restricted Management ports should be closed on your virtual machines 3.0.0
7 7.2 Ensure Virtual Machines are utilizing Managed Disks Audit VMs that do not use managed disks 1.0.0
7 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
7 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
7 7.5 Ensure that Only Approved Extensions Are Installed Only approved VM extensions should be installed 1.0.0
7 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed Endpoint protection should be installed on your machines 1.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows machines should be configured to use secure communication protocols 4.1.1
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.1.003 Verify and control/limit connections to and use of external information systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC.1.003 Verify and control/limit connections to and use of external information systems. Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC.2.007 Employ the principle of least privilege, including for specific security functions and privileged accounts. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Access Control AC.2.008 Use non-privileged accounts or roles when accessing nonsecurity functions. Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC.2.013 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC.2.013 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC.2.013 Monitor and control remote access sessions. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC.2.013 Monitor and control remote access sessions. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC.2.013 Monitor and control remote access sessions. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 3.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Guest Configuration extension should be installed on your machines 1.0.3
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Access Control AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information. Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Virtual machines should have the Log Analytics extension installed 1.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Virtual machines should have the Log Analytics extension installed 1.0.1
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability AU.3.048 Collect audit information (e.g., logs) into one or more central repositories. Virtual machines should have the Log Analytics extension installed 1.0.1
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM.2.062 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Windows machines should meet requirements for 'System Audit Policies - Privilege Use' 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM.2.063 Control and monitor user-installed software. Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Configuration Management CM.2.065 Track, review, approve or disapprove, and log changes to organizational systems. Windows machines should meet requirements for 'System Audit Policies - Policy Change' 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Internet-facing virtual machines should be protected with network security groups 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Configuration Management CM.3.069 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Audit Linux machines that have accounts without passwords 3.1.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Linux machines that have accounts without passwords 3.1.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA.2.078 Enforce a minimum password complexity and change of characters when new passwords are created. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA.2.079 Prohibit password reuse for a specified number of generations. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA.2.081 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Windows machines should be configured to use secure communication protocols 4.1.1
Incident Response IR.2.093 Detect and report events. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Recovery RE.2.137 Regularly perform and test data back-ups. Audit virtual machines without disaster recovery configured 1.0.0
Recovery RE.2.137 Regularly perform and test data back-ups. Azure Backup should be enabled for Virtual Machines 3.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Audit virtual machines without disaster recovery configured 1.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Azure Backup should be enabled for Virtual Machines 3.0.0
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.1.176 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.2.179 Use encrypted sessions for the management of network devices. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. Audit Windows machines that have the specified members in the Administrators group 2.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
System and Communications Protection SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC.3.190 Protect the authenticity of communications sessions. Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. System updates should be installed on your machines 4.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
System and Information Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI.1.212 Update malicious code protection mechanisms when new releases are available. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
System and Information Integrity SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Monitor missing Endpoint Protection in Azure Security Center 3.0.0

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 (12) Account Monitoring / Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.1.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.2.0
Access Control AC-3 Access Enforcement Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-3 Access Enforcement Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control AC-4 Information Flow Enforcement Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control AC-4 Information Flow Enforcement Disk access resources should use private link 1.0.0
Access Control AC-4 Information Flow Enforcement Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 Information Flow Enforcement IP Forwarding on your virtual machine should be disabled 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports should be closed on your virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 Remote Access Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-17 Remote Access Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 Remote Access Disk access resources should use private link 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 (1) Automated Monitoring / Control Disk access resources should use private link 1.0.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-6 (4) Central Review And Analysis [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-6 (4) Central Review And Analysis [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-6 (4) Central Review And Analysis Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-6 (4) Central Review And Analysis Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit And Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-12 Audit Generation Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 Audit Generation Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management CM-7 Least Functionality Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 Least Functionality Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-10 Software Usage Restrictions Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-10 Software Usage Restrictions Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-11 User-Installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-Installed Software Allowlist rules in your adaptive application control policy should be updated 3.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-9 Information System Backup Azure Backup should be enabled for Virtual Machines 3.0.0
Identification And Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification And Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification And Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.2.0
Identification And Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification And Authentication IA-5 Authenticator Management Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification And Authentication IA-5 (1) Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System And Communications Protection SC-3 Security Function Isolation Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System And Communications Protection SC-3 Security Function Isolation Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System And Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Communications Protection SC-5 Denial Of Service Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System And Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System And Communications Protection SC-7 Boundary Protection Disk access resources should use private link 1.0.0
System And Communications Protection SC-7 Boundary Protection Internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 Boundary Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 Boundary Protection Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System And Communications Protection SC-7 Boundary Protection Management ports should be closed on your virtual machines 3.0.0
System And Communications Protection SC-7 Boundary Protection Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 (3) Access Points Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System And Communications Protection SC-7 (3) Access Points All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System And Communications Protection SC-7 (3) Access Points Disk access resources should use private link 1.0.0
System And Communications Protection SC-7 (3) Access Points Internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 (3) Access Points IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 (3) Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System And Communications Protection SC-7 (3) Access Points Management ports should be closed on your virtual machines 3.0.0
System And Communications Protection SC-7 (3) Access Points Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-12 Cryptographic Key Establishment And Management Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management OS and data disks should be encrypted with a customer-managed key 3.0.0
System And Communications Protection SC-28 Protection Of Information At Rest Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System And Communications Protection SC-28 Protection Of Information At Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System And Communications Protection SC-28 (1) Cryptographic Protection Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System And Communications Protection SC-28 (1) Cryptographic Protection Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System And Information Integrity SI-2 Flaw Remediation A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System And Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System And Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System And Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.1.0
System And Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-3 (1) Central Management Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System And Information Integrity SI-3 (1) Central Management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System And Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System And Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System And Information Integrity SI-4 Information System Monitoring Guest Configuration extension should be installed on your machines 1.0.3
System And Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System And Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System And Information Integrity SI-4 Information System Monitoring Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
System And Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 (12) Account Monitoring / Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.1.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.2.0
Access Control AC-3 Access Enforcement Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-3 Access Enforcement Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control AC-4 Information Flow Enforcement Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control AC-4 Information Flow Enforcement Disk access resources should use private link 1.0.0
Access Control AC-4 Information Flow Enforcement Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 Information Flow Enforcement IP Forwarding on your virtual machine should be disabled 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports should be closed on your virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 Remote Access Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-17 Remote Access Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 Remote Access Disk access resources should use private link 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 (1) Automated Monitoring / Control Disk access resources should use private link 1.0.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-12 Audit Generation Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 Audit Generation Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management CM-7 Least Functionality Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 Least Functionality Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-10 Software Usage Restrictions Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-10 Software Usage Restrictions Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-11 User-Installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-Installed Software Allowlist rules in your adaptive application control policy should be updated 3.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-9 Information System Backup Azure Backup should be enabled for Virtual Machines 3.0.0
Identification And Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification And Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification And Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.2.0
Identification And Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification And Authentication IA-5 Authenticator Management Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification And Authentication IA-5 (1) Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System And Communications Protection SC-5 Denial Of Service Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System And Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System And Communications Protection SC-7 Boundary Protection Disk access resources should use private link 1.0.0
System And Communications Protection SC-7 Boundary Protection Internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 Boundary Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 Boundary Protection Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System And Communications Protection SC-7 Boundary Protection Management ports should be closed on your virtual machines 3.0.0
System And Communications Protection SC-7 Boundary Protection Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 (3) Access Points Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System And Communications Protection SC-7 (3) Access Points All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System And Communications Protection SC-7 (3) Access Points Disk access resources should use private link 1.0.0
System And Communications Protection SC-7 (3) Access Points Internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 (3) Access Points IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 (3) Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System And Communications Protection SC-7 (3) Access Points Management ports should be closed on your virtual machines 3.0.0
System And Communications Protection SC-7 (3) Access Points Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-12 Cryptographic Key Establishment And Management Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management OS and data disks should be encrypted with a customer-managed key 3.0.0
System And Communications Protection SC-28 Protection Of Information At Rest Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System And Communications Protection SC-28 Protection Of Information At Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System And Communications Protection SC-28 (1) Cryptographic Protection Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System And Communications Protection SC-28 (1) Cryptographic Protection Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System And Information Integrity SI-2 Flaw Remediation A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System And Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System And Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System And Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.1.0
System And Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-3 (1) Central Management Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System And Information Integrity SI-3 (1) Central Management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System And Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System And Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System And Information Integrity SI-4 Information System Monitoring Guest Configuration extension should be installed on your machines 1.0.3
System And Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System And Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System And Information Integrity SI-4 Information System Monitoring Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
System And Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
User Identification and Authentication 11210.01q2Organizational.10 - 01.q Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records. Audit Windows machines that have the specified members in the Administrators group 2.0.0
User Identification and Authentication 11211.01q2Organizational.11 - 01.q Signed electronic records shall contain information associated with the signing in human-readable format. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
02 Endpoint Protection 0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
02 Endpoint Protection 0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code Deploy default Microsoft IaaSAntimalware extension for Windows Server 1.1.0
02 Endpoint Protection 0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
02 Endpoint Protection 0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
02 Endpoint Protection 0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code Monitor missing Endpoint Protection in Azure Security Center 3.0.0
02 Endpoint Protection 0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code System updates should be installed on your machines 4.0.0
03 Portable Media Security 0302.09o2Organizational.1-09.o 0302.09o2Organizational.1-09.o 09.07 Media Handling Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
06 Configuration Management 0605.10h1System.12-10.h 0605.10h1System.12-10.h 10.04 Security of System Files Vulnerabilities in security configuration on your machines should be remediated 3.1.0
06 Configuration Management 0605.10h1System.12-10.h 0605.10h1System.12-10.h 10.04 Security of System Files Windows machines should meet requirements for 'Security Options - Audit' 3.0.0
06 Configuration Management 0605.10h1System.12-10.h 0605.10h1System.12-10.h 10.04 Security of System Files Windows machines should meet requirements for 'System Audit Policies - Account Management' 3.0.0
06 Configuration Management 0635.10k1Organizational.12-10.k 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0636.10k2Organizational.1-10.k 0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0637.10k2Organizational.2-10.k 0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0638.10k2Organizational.34569-10.k 0638.10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0639.10k2Organizational.78-10.k 0639.10k2Organizational.78-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0640.10k2Organizational.1012-10.k 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0641.10k2Organizational.11-10.k 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0642.10k3Organizational.12-10.k 0642.10k3Organizational.12-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0643.10k3Organizational.3-10.k 0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
06 Configuration Management 0644.10k3Organizational.4-10.k 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' 3.0.0
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Vulnerabilities in container security configurations should be remediated 3.0.0
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Vulnerabilities in security configuration on your machines should be remediated 3.1.0
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Windows machines should meet requirements for 'Security Options - Microsoft Network Server' 3.0.0
07 Vulnerability Management 0711.10m2Organizational.23-10.m 0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
07 Vulnerability Management 0713.10m2Organizational.5-10.m 0713.10m2Organizational.5-10.m 10.06 Technical Vulnerability Management Vulnerabilities in security configuration on your machines should be remediated 3.1.0
07 Vulnerability Management 0714.10m2Organizational.7-10.m 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
07 Vulnerability Management 0715.10m2Organizational.8-10.m 0715.10m2Organizational.8-10.m 10.06 Technical Vulnerability Management Vulnerabilities in container security configurations should be remediated 3.0.0
07 Vulnerability Management 0717.10m3Organizational.2-10.m 0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
07 Vulnerability Management 0718.10m3Organizational.34-10.m 0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management Vulnerabilities in security configuration on your machines should be remediated 3.1.0
08 Network Protection 0805.01m1Organizational.12-01.m 0805.01m1Organizational.12-01.m 01.04 Network Access Control Internet-facing virtual machines should be protected with network security groups 3.0.0
08 Network Protection 0806.01m2Organizational.12356-01.m 0806.01m2Organizational.12356-01.m 01.04 Network Access Control Internet-facing virtual machines should be protected with network security groups 3.0.0
08 Network Protection 0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 01.04 Network Access Control Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
08 Network Protection 0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 01.04 Network Access Control Internet-facing virtual machines should be protected with network security groups 3.0.0
08 Network Protection 0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 01.04 Network Access Control Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
08 Network Protection 0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 01.04 Network Access Control Internet-facing virtual machines should be protected with network security groups 3.0.0
08 Network Protection 0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 01.04 Network Access Control Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
08 Network Protection 0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 01.04 Network Access Control Internet-facing virtual machines should be protected with network security groups 3.0.0
08 Network Protection 0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 01.04 Network Access Control Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
08 Network Protection 0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 01.04 Network Access Control Internet-facing virtual machines should be protected with network security groups 3.0.0
08 Network Protection 0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 01.04 Network Access Control Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
08 Network Protection 0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 01.04 Network Access Control Internet-facing virtual machines should be protected with network security groups 3.0.0
08 Network Protection 0835.09n1Organizational.1-09.n 0835.09n1Organizational.1-09.n 09.06 Network Security Management [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
08 Network Protection 0835.09n1Organizational.1-09.n 0835.09n1Organizational.1-09.n 09.06 Network Security Management Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
08 Network Protection 0836.09.n2Organizational.1-09.n 0836.09.n2Organizational.1-09.n 09.06 Network Security Management [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
08 Network Protection 0858.09m1Organizational.4-09.m 0858.09m1Organizational.4-09.m 09.06 Network Security Management All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
08 Network Protection 0858.09m1Organizational.4-09.m 0858.09m1Organizational.4-09.m 09.06 Network Security Management Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
08 Network Protection 0858.09m1Organizational.4-09.m 0858.09m1Organizational.4-09.m 09.06 Network Security Management Windows machines should meet requirements for 'Windows Firewall Properties' 3.0.0
08 Network Protection 0859.09m1Organizational.78-09.m 0859.09m1Organizational.78-09.m 09.06 Network Security Management Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
08 Network Protection 0861.09m2Organizational.67-09.m 0861.09m2Organizational.67-09.m 09.06 Network Security Management Windows machines should meet requirements for 'Security Options - Network Access' 3.0.0
08 Network Protection 0885.09n2Organizational.3-09.n 0885.09n2Organizational.3-09.n 09.06 Network Security Management [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
08 Network Protection 0887.09n2Organizational.5-09.n 0887.09n2Organizational.5-09.n 09.06 Network Security Management [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
08 Network Protection 0894.01m2Organizational.7-01.m 0894.01m2Organizational.7-01.m 01.04 Network Access Control Internet-facing virtual machines should be protected with network security groups 3.0.0
Back-up 1699.09l1Organizational.10 - 09.l Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices. Azure Backup should be enabled for Virtual Machines 3.0.0
09 Transmission Protection 0945.09y1Organizational.3-09.y 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services Audit Windows machines that do not contain the specified certificates in Trusted Root 3.0.0
Control of Operational Software 0606.10h2System.1 - 10.h Applications and operating systems are successfully tested for usability, security and impact prior to production. Vulnerabilities in container security configurations should be remediated 3.0.0
Control of Operational Software 0607.10h2System.23 - 10.h The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Control of Operational Software 0607.10h2System.23 - 10.h The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
11 Access Control 11180.01c3System.6-01.c 11180.01c3System.6-01.c 01.02 Authorized Access to Information Systems Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
11 Access Control 1119.01j2Organizational.3-01.j 1119.01j2Organizational.3-01.j 01.04 Network Access Control Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
11 Access Control 1123.01q1System.2-01.q 1123.01q1System.2-01.q 01.05 Operating System Access Control Audit Windows machines that have extra accounts in the Administrators group 2.0.0
11 Access Control 1125.01q2System.1-01.q 1125.01q2System.1-01.q 01.05 Operating System Access Control Audit Windows machines that have the specified members in the Administrators group 2.0.0
11 Access Control 1127.01q2System.3-01.q 1127.01q2System.3-01.q 01.05 Operating System Access Control Audit Windows machines missing any of specified members in the Administrators group 2.0.0
11 Access Control 1143.01c1System.123-01.c 1143.01c1System.123-01.c 01.02 Authorized Access to Information Systems Management ports should be closed on your virtual machines 3.0.0
11 Access Control 1148.01c2System.78-01.c 1148.01c2System.78-01.c 01.02 Authorized Access to Information Systems Windows machines should meet requirements for 'Security Options - Accounts' 3.0.0
11 Access Control 1150.01c2System.10-01.c 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems Management ports should be closed on your virtual machines 3.0.0
11 Access Control 1175.01j1Organizational.8-01.j 1175.01j1Organizational.8-01.j 01.04 Network Access Control Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
11 Access Control 1179.01j3Organizational.1-01.j 1179.01j3Organizational.1-01.j 01.04 Network Access Control Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
11 Access Control 1192.01l1Organizational.1-01.l 1192.01l1Organizational.1-01.l 01.04 Network Access Control Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
11 Access Control 1193.01l2Organizational.13-01.l 1193.01l2Organizational.13-01.l 01.04 Network Access Control Management ports should be closed on your virtual machines 3.0.0
11 Access Control 1197.01l3Organizational.3-01.l 1197.01l3Organizational.3-01.l 01.04 Network Access Control Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
12 Audit Logging & Monitoring 1202.09aa1System.1-09.aa 1202.09aa1System.1-09.aa 09.10 Monitoring System updates on virtual machine scale sets should be installed 3.0.0
12 Audit Logging & Monitoring 12100.09ab2System.15-09.ab 12100.09ab2System.15-09.ab 09.10 Monitoring Virtual machines should have the Log Analytics extension installed 1.0.1
12 Audit Logging & Monitoring 12101.09ab1Organizational.3-09.ab 12101.09ab1Organizational.3-09.ab 09.10 Monitoring The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
12 Audit Logging & Monitoring 12102.09ab1Organizational.4-09.ab 12102.09ab1Organizational.4-09.ab 09.10 Monitoring Audit Windows machines on which the Log Analytics agent is not connected as expected 2.0.0
12 Audit Logging & Monitoring 1215.09ab2System.7-09.ab 1215.09ab2System.7-09.ab 09.10 Monitoring Virtual machines should have the Log Analytics extension installed 1.0.1
12 Audit Logging & Monitoring 1216.09ab3System.12-09.ab 1216.09ab3System.12-09.ab 09.10 Monitoring The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
12 Audit Logging & Monitoring 1217.09ab3System.3-09.ab 1217.09ab3System.3-09.ab 09.10 Monitoring Audit Windows machines on which the Log Analytics agent is not connected as expected 2.0.0
12 Audit Logging & Monitoring 1232.09c3Organizational.12-09.c 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures Windows machines should meet requirements for 'User Rights Assignment' 3.0.0
12 Audit Logging & Monitoring 1277.09c2Organizational.4-09.c 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures Windows machines should meet requirements for 'Security Options - User Account Control' 3.0.0
16 Business Continuity & Disaster Recovery 1620.09l1Organizational.8-09.l 1620.09l1Organizational.8-09.l 09.05 Information Back-Up Azure Backup should be enabled for Virtual Machines 3.0.0
16 Business Continuity & Disaster Recovery 1625.09l3Organizational.34-09.l 1625.09l3Organizational.34-09.l 09.05 Information Back-Up Azure Backup should be enabled for Virtual Machines 3.0.0
16 Business Continuity & Disaster Recovery 1634.12b1Organizational.1-12.b 1634.12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management Audit virtual machines without disaster recovery configured 1.0.0
16 Business Continuity & Disaster Recovery 1637.12b2Organizational.2-12.b 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Windows machines should meet requirements for 'Security Options - Recovery console' 3.0.0
16 Business Continuity & Disaster Recovery 1638.12b2Organizational.345-12.b 1638.12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management Audit virtual machines without disaster recovery configured 1.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.12 Remote Access (AC-17) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control 9.3.1.12 Remote Access (AC-17) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control 9.3.1.12 Remote Access (AC-17) Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control 9.3.1.12 Remote Access (AC-17) Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control 9.3.1.2 Account Management (AC-2) Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control 9.3.1.5 Separation of Duties (AC-5) Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control 9.3.1.6 Least Privilege (AC-6) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control 9.3.1.6 Least Privilege (AC-6) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control 9.3.1.6 Least Privilege (AC-6) Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Audit Windows machines that have the specified members in the Administrators group 2.0.0
Access Control 9.3.1.6 Least Privilege (AC-6) Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection 9.3.16.15 Protection of Information at Rest (SC-28) Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection 9.3.16.5 Boundary Protection (SC-7) Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
System and Communications Protection 9.3.16.5 Boundary Protection (SC-7) Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection 9.3.16.5 Boundary Protection (SC-7) All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
System and Communications Protection 9.3.16.6 Transmission Confidentiality and Integrity (SC-8) Windows machines should be configured to use secure communication protocols 4.1.1
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) System updates should be installed on your machines 4.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) Vulnerabilities in security configuration on your machines should be remediated 3.1.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity 9.3.17.3 Malicious Code Protection (SI-3) Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity 9.3.17.3 Malicious Code Protection (SI-3) Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) Virtual machines should be connected to a specified workspace 1.1.0
Awareness and Training 9.3.3.11 Audit Generation (AU-12) [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Virtual machines should be connected to a specified workspace 1.1.0
Awareness and Training 9.3.3.3 Content of Audit Records (AU-3) [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Awareness and Training 9.3.3.3 Content of Audit Records (AU-3) Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Awareness and Training 9.3.3.3 Content of Audit Records (AU-3) Virtual machines should be connected to a specified workspace 1.1.0
Awareness and Training 9.3.3.6 Audit Review, Analysis, and Reporting (AU-6) [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Awareness and Training 9.3.3.6 Audit Review, Analysis, and Reporting (AU-6) Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Awareness and Training 9.3.3.6 Audit Review, Analysis, and Reporting (AU-6) Virtual machines should be connected to a specified workspace 1.1.0
Configuration Management 9.3.5.11 User-Installed Software (CM-11) Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management 9.3.5.7 Least Functionality (CM-7) Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Contingency Planning 9.3.6.6 Alternate Processing Site (CP-7) Audit virtual machines without disaster recovery configured 1.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Linux machines that have accounts without passwords 3.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification and Authentication 9.3.7.5 Authenticator Management (IA-5) Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.1.1 Policy on the use of cryptographic controls Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Cryptography 10.1.1 Policy on the use of cryptographic controls Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Operations Security 12.4.1 Event Logging [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Operations Security 12.4.1 Event Logging Dependency agent should be enabled for listed virtual machine images 2.0.0
Operations Security 12.4.1 Event Logging Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images 2.0.0
Operations Security 12.4.1 Event Logging Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Operations Security 12.4.3 Administrator and operator logs [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Operations Security 12.4.3 Administrator and operator logs Dependency agent should be enabled for listed virtual machine images 2.0.0
Operations Security 12.4.3 Administrator and operator logs Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images 2.0.0
Operations Security 12.4.3 Administrator and operator logs Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Operations Security 12.4.4 Clock Synchronization [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Operations Security 12.4.4 Clock Synchronization Dependency agent should be enabled for listed virtual machine images 2.0.0
Operations Security 12.4.4 Clock Synchronization Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images 2.0.0
Operations Security 12.4.4 Clock Synchronization Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Operations Security 12.5.1 Installation of software on operational systems Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Operations Security 12.6.1 Management of technical vulnerabilities A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Operations Security 12.6.1 Management of technical vulnerabilities Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Operations Security 12.6.1 Management of technical vulnerabilities System updates should be installed on your machines 4.0.0
Operations Security 12.6.1 Management of technical vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Operations Security 12.6.2 Restrictions on software installation Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Communications Security 13.1.1 Network controls All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control 9.1.2 Access to networks and network services Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control 9.1.2 Access to networks and network services Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control 9.1.2 Access to networks and network services Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control 9.1.2 Access to networks and network services Audit Linux machines that have accounts without passwords 3.1.0
Access Control 9.1.2 Access to networks and network services Audit VMs that do not use managed disks 1.0.0
Access Control 9.1.2 Access to networks and network services Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control 9.1.2 Access to networks and network services Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control 9.2.4 Management of secret authentication information of users Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control 9.2.4 Management of secret authentication information of users Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control 9.2.4 Management of secret authentication information of users Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Access Control 9.2.4 Management of secret authentication information of users Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control 9.4.3 Password management system Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control 9.4.3 Password management system Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control 9.4.3 Password management system Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Access Control 9.4.3 Password management system Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Access Control 9.4.3 Password management system Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Access Control 9.4.3 Password management system Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Access Control 9.4.3 Password management system Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Access Control 9.4.3 Password management system Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0

Microsoft Cloud for Sovereignty Baseline Confidential Policies

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for MCfS Sovereignty Baseline Confidential Policies. For more information about this compliance standard, see Microsoft Cloud for Sovereignty Policy portfolio.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
SO.3 - Customer-Managed Keys SO.3 Azure products must be configured to use Customer-Managed Keys when possible. Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
SO.4 - Azure Confidential Computing SO.4 Azure products must be configured to use Azure Confidential Computing SKUs when possible. Allowed virtual machine size SKUs 1.0.1

Microsoft cloud security benchmark

The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security NS-1 Establish network segmentation boundaries Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Security NS-1 Establish network segmentation boundaries All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Network Security NS-1 Establish network segmentation boundaries Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Security NS-1 Establish network segmentation boundaries Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Network Security NS-3 Deploy firewall at the edge of enterprise network IP Forwarding on your virtual machine should be disabled 3.0.0
Network Security NS-3 Deploy firewall at the edge of enterprise network Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Security NS-3 Deploy firewall at the edge of enterprise network Management ports should be closed on your virtual machines 3.0.0
Network Security NS-7 Simplify network security configuration Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Identity Management IM-3 Manage application identities securely and automatically Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Identity Management IM-6 Use strong authentication controls Authentication to Linux machines should require SSH keys 3.2.0
Identity Management IM-8 Restrict the exposure of credential and secrets Machines should have secret findings resolved 1.0.2
Privileged Access PA-2 Avoid standing access for accounts and permissions Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Data Protection DP-3 Encrypt sensitive data in transit Windows machines should be configured to use secure communication protocols 4.1.1
Data Protection DP-4 Enable data at rest encryption by default Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. 1.2.1
Data Protection DP-4 Enable data at rest encryption by default Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
Data Protection DP-4 Enable data at rest encryption by default Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Data Protection DP-4 Enable data at rest encryption by default Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. 1.1.1
Asset Management AM-2 Use only approved services Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Asset Management AM-5 Use only approved applications in virtual machine Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Asset Management AM-5 Use only approved applications in virtual machine Allowlist rules in your adaptive application control policy should be updated 3.0.0
Logging and Threat Detection LT-1 Enable threat detection capabilities Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Logging and Threat Detection LT-4 Enable network logging for security investigation [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Logging and Threat Detection LT-4 Enable network logging for security investigation [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Logging and Threat Detection LT-5 Centralize security log management and analysis Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines 6.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets 5.1.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines 4.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets 3.1.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Linux virtual machines should use only signed and trusted boot components 1.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: Secure Boot should be enabled on supported Windows virtual machines 4.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources [Preview]: vTPM should be enabled on supported virtual machines 2.0.0-preview
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Guest Configuration extension should be installed on your machines 1.0.3
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Posture and Vulnerability Management PV-4 Audit and enforce secure configurations for compute resources Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Posture and Vulnerability Management PV-5 Perform vulnerability assessments A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Posture and Vulnerability Management PV-5 Perform vulnerability assessments Machines should have secret findings resolved 1.0.2
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities [Preview]: System updates should be installed on your machines (powered by Update Center) 1.0.0-preview
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Machines should be configured to periodically check for missing system updates 3.7.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities SQL servers on machines should have vulnerability findings resolved 1.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities System updates on virtual machine scale sets should be installed 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities System updates should be installed on your machines 4.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Vulnerabilities in container security configurations should be remediated 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Endpoint Security ES-2 Use modern anti-malware software Endpoint protection health issues should be resolved on your machines 1.0.0
Endpoint Security ES-2 Use modern anti-malware software Endpoint protection should be installed on your machines 1.0.0
Endpoint Security ES-2 Use modern anti-malware software Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Endpoint Security ES-2 Use modern anti-malware software Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Endpoint Security ES-2 Use modern anti-malware software Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Endpoint Security ES-3 Ensure anti-malware software and signatures are updated Endpoint protection health issues should be resolved on your machines 1.0.0
Backup and Recovery BR-1 Ensure regular automated backups Azure Backup should be enabled for Virtual Machines 3.0.0
Backup and Recovery BR-2 Protect backup and recovery data Azure Backup should be enabled for Virtual Machines 3.0.0
DevOps Security DS-6 Enforce security of workload throughout DevOps lifecycle Vulnerabilities in container security configurations should be remediated 3.0.0

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Audit Linux machines that have accounts without passwords 3.1.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Authentication to Linux machines should require SSH keys 3.2.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Disk access resources should use private link 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control 3.1.12 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control 3.1.12 Monitor and control remote access sessions. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control 3.1.12 Monitor and control remote access sessions. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control 3.1.12 Monitor and control remote access sessions. Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control 3.1.12 Monitor and control remote access sessions. Disk access resources should use private link 1.0.0
Access Control 3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. Disk access resources should use private link 1.0.0
Access Control 3.1.14 Route remote access via managed access control points. Disk access resources should use private link 1.0.0
Access Control 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. Disk access resources should use private link 1.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. IP Forwarding on your virtual machine should be disabled 3.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. Management ports should be closed on your virtual machines 3.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines missing any of specified members in the Administrators group 2.0.0
Access Control 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Audit Windows machines that have the specified members in the Administrators group 2.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Disk access resources should use private link 1.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems. Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
System and Communications Protection 3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems. OS and data disks should be encrypted with a customer-managed key 3.0.0
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Disk access resources should use private link 1.0.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Disk access resources should use private link 1.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Windows machines should be configured to use secure communication protocols 4.1.1
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. System updates should be installed on your machines 4.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity 3.14.2 Provide protection from malicious code at designated locations within organizational systems. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity 3.14.3 Monitor system security alerts and advisories and take action in response. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity 3.14.4 Update malicious code protection mechanisms when new releases are available. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity 3.14.4 Update malicious code protection mechanisms when new releases are available. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity 3.14.4 Update malicious code protection mechanisms when new releases are available. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
System and Information Integrity 3.14.4 Update malicious code protection mechanisms when new releases are available. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity 3.14.4 Update malicious code protection mechanisms when new releases are available. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity 3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity 3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
System and Information Integrity 3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Microsoft IaaSAntimalware extension should be deployed on Windows servers 1.1.0
System and Information Integrity 3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity 3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Guest Configuration extension should be installed on your machines 1.0.3
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. Guest Configuration extension should be installed on your machines 1.0.3
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Guest Configuration extension should be installed on your machines 1.0.3
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Virtual machines should have the Log Analytics extension installed 1.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Guest Configuration extension should be installed on your machines 1.0.3
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Virtual machines should be connected to a specified workspace 1.1.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Virtual machines should have the Log Analytics extension installed 1.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems. Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management 3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management 3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management 3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management 3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management 3.4.9 Control and monitor user-installed software. Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management 3.4.9 Control and monitor user-installed software. Allowlist rules in your adaptive application control policy should be updated 3.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication 3.5.10 Store and transmit only cryptographically-protected passwords. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Authentication to Linux machines should require SSH keys 3.2.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication 3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. Windows machines should meet requirements for 'Security Options - Network Security' 3.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication 3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication 3.5.8 Prohibit password reuse for a specified number of generations. Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Media Protection 3.8.9 Protect the confidentiality of backup CUI at storage locations. Azure Backup should be enabled for Virtual Machines 3.0.0

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 (12) Account Monitoring / Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.1.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.2.0
Access Control AC-3 Access Enforcement Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-3 Access Enforcement Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control AC-4 Information Flow Enforcement Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control AC-4 Information Flow Enforcement Disk access resources should use private link 1.0.0
Access Control AC-4 Information Flow Enforcement Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 Information Flow Enforcement IP Forwarding on your virtual machine should be disabled 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports should be closed on your virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 (3) Dynamic Information Flow Control Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 (3) Dynamic Information Flow Control Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 Remote Access Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-17 Remote Access Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 Remote Access Disk access resources should use private link 1.0.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17 (1) Automated Monitoring / Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17 (1) Automated Monitoring / Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-17 (1) Automated Monitoring / Control Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 (1) Automated Monitoring / Control Disk access resources should use private link 1.0.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-6 (4) Central Review And Analysis [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-6 (4) Central Review And Analysis [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-6 (4) Central Review And Analysis Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-6 (4) Central Review And Analysis Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit And Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-12 Audit Generation [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-12 Audit Generation Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 Audit Generation Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 Audit Generation Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Guest Configuration extension should be installed on your machines 1.0.3
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management CM-7 Least Functionality Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 Least Functionality Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (5) Authorized Software / Whitelisting Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-10 Software Usage Restrictions Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-10 Software Usage Restrictions Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-11 User-Installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-Installed Software Allowlist rules in your adaptive application control policy should be updated 3.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-9 Information System Backup Azure Backup should be enabled for Virtual Machines 3.0.0
Identification And Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification And Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification And Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.2.0
Identification And Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification And Authentication IA-5 Authenticator Management Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification And Authentication IA-5 (1) Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification And Authentication IA-5 (1) Password-Based Authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification And Authentication IA-5 (1) Password-Based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System And Communications Protection SC-3 Security Function Isolation Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System And Communications Protection SC-3 Security Function Isolation Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System And Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Communications Protection SC-5 Denial Of Service Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System And Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System And Communications Protection SC-7 Boundary Protection Disk access resources should use private link 1.0.0
System And Communications Protection SC-7 Boundary Protection Internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 Boundary Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 Boundary Protection Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System And Communications Protection SC-7 Boundary Protection Management ports should be closed on your virtual machines 3.0.0
System And Communications Protection SC-7 Boundary Protection Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 (3) Access Points Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System And Communications Protection SC-7 (3) Access Points All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System And Communications Protection SC-7 (3) Access Points Disk access resources should use private link 1.0.0
System And Communications Protection SC-7 (3) Access Points Internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-7 (3) Access Points IP Forwarding on your virtual machine should be disabled 3.0.0
System And Communications Protection SC-7 (3) Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System And Communications Protection SC-7 (3) Access Points Management ports should be closed on your virtual machines 3.0.0
System And Communications Protection SC-7 (3) Access Points Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System And Communications Protection SC-8 Transmission Confidentiality And Integrity Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-8 (1) Cryptographic Or Alternate Physical Protection Windows machines should be configured to use secure communication protocols 4.1.1
System And Communications Protection SC-12 Cryptographic Key Establishment And Management Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management OS and data disks should be encrypted with a customer-managed key 3.0.0
System And Communications Protection SC-28 Protection Of Information At Rest Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System And Communications Protection SC-28 Protection Of Information At Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System And Communications Protection SC-28 (1) Cryptographic Protection Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System And Communications Protection SC-28 (1) Cryptographic Protection Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System And Information Integrity SI-2 Flaw Remediation A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System And Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System And Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System And Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.1.0
System And Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System And Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-3 (1) Central Management Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System And Information Integrity SI-3 (1) Central Management Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System And Information Integrity SI-3 (1) Central Management Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System And Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System And Information Integrity SI-4 Information System Monitoring [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System And Information Integrity SI-4 Information System Monitoring Guest Configuration extension should be installed on your machines 1.0.3
System And Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System And Information Integrity SI-4 Information System Monitoring Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System And Information Integrity SI-4 Information System Monitoring Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
System And Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 (12) Account Monitoring for Atypical Usage Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-3 Access Enforcement Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-3 Access Enforcement Audit Linux machines that have accounts without passwords 3.1.0
Access Control AC-3 Access Enforcement Authentication to Linux machines should require SSH keys 3.2.0
Access Control AC-3 Access Enforcement Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-3 Access Enforcement Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Access Control AC-4 Information Flow Enforcement Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Access Control AC-4 Information Flow Enforcement Disk access resources should use private link 1.0.0
Access Control AC-4 Information Flow Enforcement Internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 Information Flow Enforcement IP Forwarding on your virtual machine should be disabled 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-4 Information Flow Enforcement Management ports should be closed on your virtual machines 3.0.0
Access Control AC-4 Information Flow Enforcement Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Access Control AC-4 (3) Dynamic Information Flow Control Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Access Control AC-4 (3) Dynamic Information Flow Control Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17 Remote Access Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17 Remote Access Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 Remote Access Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-17 Remote Access Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 Remote Access Disk access resources should use private link 1.0.0
Access Control AC-17 (1) Monitoring and Control Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Access Control AC-17 (1) Monitoring and Control Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Access Control AC-17 (1) Monitoring and Control Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
Access Control AC-17 (1) Monitoring and Control Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Access Control AC-17 (1) Monitoring and Control Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Access Control AC-17 (1) Monitoring and Control Disk access resources should use private link 1.0.0
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (4) Central Review and Analysis Guest Configuration extension should be installed on your machines 1.0.3
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Guest Configuration extension should be installed on your machines 1.0.3
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-12 Audit Record Generation [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Record Generation [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-12 Audit Record Generation Guest Configuration extension should be installed on your machines 1.0.3
Audit and Accountability AU-12 Audit Record Generation Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 Audit Record Generation Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 Audit Record Generation Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Guest Configuration extension should be installed on your machines 1.0.3
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Configuration Management CM-6 Configuration Settings Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Configuration Management CM-6 Configuration Settings Windows machines should meet requirements of the Azure compute security baseline 2.0.0
Configuration Management CM-7 Least Functionality Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 Least Functionality Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (2) Prevent Program Execution Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-7 (5) Authorized Software ??? Allow-by-exception Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-7 (5) Authorized Software ??? Allow-by-exception Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-10 Software Usage Restrictions Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-10 Software Usage Restrictions Allowlist rules in your adaptive application control policy should be updated 3.0.0
Configuration Management CM-11 User-installed Software Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Configuration Management CM-11 User-installed Software Allowlist rules in your adaptive application control policy should be updated 3.0.0
Contingency Planning CP-7 Alternate Processing Site Audit virtual machines without disaster recovery configured 1.0.0
Contingency Planning CP-9 System Backup Azure Backup should be enabled for Virtual Machines 3.0.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication IA-5 Authenticator Management Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication IA-5 Authenticator Management Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication IA-5 Authenticator Management Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 Authenticator Management Authentication to Linux machines should require SSH keys 3.2.0
Identification and Authentication IA-5 Authenticator Management Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification and Authentication IA-5 Authenticator Management Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Identification and Authentication IA-5 (1) Password-based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Linux machines that do not have the passwd file permissions set to 0644 3.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the minimum password age set to specified number of days 2.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not have the password complexity setting enabled 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Audit Windows machines that do not store passwords using reversible encryption 2.0.0
Identification and Authentication IA-5 (1) Password-based Authentication Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs 3.1.0
Identification and Authentication IA-5 (1) Password-based Authentication Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning SQL servers on machines should have vulnerability findings resolved 1.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerabilities in container security configurations should be remediated 3.0.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Communications Protection SC-3 Security Function Isolation Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Communications Protection SC-3 Security Function Isolation Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Communications Protection SC-3 Security Function Isolation Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Communications Protection SC-5 Denial-of-service Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 Boundary Protection Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 Boundary Protection Disk access resources should use private link 1.0.0
System and Communications Protection SC-7 Boundary Protection Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 Boundary Protection IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 Boundary Protection Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 Boundary Protection Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection SC-7 Boundary Protection Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 (3) Access Points Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
System and Communications Protection SC-7 (3) Access Points All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
System and Communications Protection SC-7 (3) Access Points Disk access resources should use private link 1.0.0
System and Communications Protection SC-7 (3) Access Points Internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-7 (3) Access Points IP Forwarding on your virtual machine should be disabled 3.0.0
System and Communications Protection SC-7 (3) Access Points Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
System and Communications Protection SC-7 (3) Access Points Management ports should be closed on your virtual machines 3.0.0
System and Communications Protection SC-7 (3) Access Points Non-internet-facing virtual machines should be protected with network security groups 3.0.0
System and Communications Protection SC-8 Transmission Confidentiality and Integrity Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC-8 (1) Cryptographic Protection Windows machines should be configured to use secure communication protocols 4.1.1
System and Communications Protection SC-12 Cryptographic Key Establishment and Management Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management OS and data disks should be encrypted with a customer-managed key 3.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection SC-28 Protection of Information at Rest Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Communications Protection SC-28 (1) Cryptographic Protection Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
System and Information Integrity SI-2 Flaw Remediation A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates on virtual machine scale sets should be installed 3.0.0
System and Information Integrity SI-2 Flaw Remediation System updates should be installed on your machines 4.0.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your machines should be remediated 3.1.0
System and Information Integrity SI-2 Flaw Remediation Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Monitor missing Endpoint Protection in Azure Security Center 3.0.0
System and Information Integrity SI-3 Malicious Code Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0
System and Information Integrity SI-4 System Monitoring [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
System and Information Integrity SI-4 System Monitoring [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
System and Information Integrity SI-4 System Monitoring Guest Configuration extension should be installed on your machines 1.0.3
System and Information Integrity SI-4 System Monitoring Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
System and Information Integrity SI-4 System Monitoring Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
System and Information Integrity SI-4 System Monitoring Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
System and Information Integrity SI-16 Memory Protection Windows Defender Exploit Guard should be enabled on your machines 2.0.0

NL BIO Cloud Theme

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. System updates on virtual machine scale sets should be installed 3.0.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. System updates should be installed on your machines 4.0.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. System updates on virtual machine scale sets should be installed 3.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. System updates should be installed on your machines 4.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. System updates on virtual machine scale sets should be installed 3.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. System updates should be installed on your machines 4.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
C.04.8 Technical vulnerability management - Evaluated C.04.8 The evaluation reports contain suggestions for improvement and are communicated with managers/owners. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
C.04.8 Technical vulnerability management - Evaluated C.04.8 The evaluation reports contain suggestions for improvement and are communicated with managers/owners. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
C.04.8 Technical vulnerability management - Evaluated C.04.8 The evaluation reports contain suggestions for improvement and are communicated with managers/owners. System updates should be installed on your machines 4.0.0
C.04.8 Technical vulnerability management - Evaluated C.04.8 The evaluation reports contain suggestions for improvement and are communicated with managers/owners. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
U.03.1 Business Continuity Services - Redundancy U.03.1 The agreed continuity is guaranteed by sufficiently logical or physically multiple system functions. Audit virtual machines without disaster recovery configured 1.0.0
U.03.1 Business Continuity Services - Redundancy U.03.1 The agreed continuity is guaranteed by sufficiently logical or physically multiple system functions. Azure Backup should be enabled for Virtual Machines 3.0.0
U.03.2 Business Continuity Services - Continuity requirements U.03.2 The continuity requirements for cloud services agreed with the CSC are ensured by the system architecture. Audit virtual machines without disaster recovery configured 1.0.0
U.03.2 Business Continuity Services - Continuity requirements U.03.2 The continuity requirements for cloud services agreed with the CSC are ensured by the system architecture. Azure Backup should be enabled for Virtual Machines 3.0.0
U.04.1 Data and Cloud Service Recovery - Restore function U.04.1 The data and cloud services are restored within the agreed period and maximum data loss and made available to the CSC. Audit virtual machines without disaster recovery configured 1.0.0
U.04.2 Data and Cloud Service Recovery - Restore function U.04.2 The continuous process of recoverable protection of data is monitored. Audit virtual machines without disaster recovery configured 1.0.0
U.04.3 Data and Cloud Service Recovery - Tested U.04.3 The functioning of recovery functions is periodically tested and the results are shared with the CSC. Audit virtual machines without disaster recovery configured 1.0.0
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. Windows machines should be configured to use secure communication protocols 4.1.1
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines 6.0.0-preview
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets 5.1.0-preview
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines 4.0.0-preview
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets 3.1.0-preview
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. [Preview]: Secure Boot should be enabled on supported Windows virtual machines 4.0.0-preview
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. [Preview]: vTPM should be enabled on supported virtual machines 2.0.0-preview
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. OS and data disks should be encrypted with a customer-managed key 3.0.0
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. Disk access resources should use private link 1.0.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. Internet-facing virtual machines should be protected with network security groups 3.0.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. IP Forwarding on your virtual machine should be disabled 3.0.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. Management ports should be closed on your virtual machines 3.0.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. Non-internet-facing virtual machines should be protected with network security groups 3.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. IP Forwarding on your virtual machine should be disabled 3.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Monitor missing Endpoint Protection in Azure Security Center 3.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. System updates on virtual machine scale sets should be installed 3.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. System updates should be installed on your machines 4.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Vulnerabilities in security configuration on your machines should be remediated 3.1.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Windows Defender Exploit Guard should be enabled on your machines 2.0.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. Audit Linux machines that have accounts without passwords 3.1.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. Audit VMs that do not use managed disks 1.0.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. Audit Linux machines that have accounts without passwords 3.1.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. Audit VMs that do not use managed disks 1.0.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. Audit Linux machines that allow remote connections from accounts without passwords 3.1.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. Audit Linux machines that have accounts without passwords 3.1.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. Audit VMs that do not use managed disks 1.0.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Windows machines should be configured to use secure communication protocols 4.1.1
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Audit Windows machines that do not store passwords using reversible encryption 2.0.0
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Windows machines should be configured to use secure communication protocols 4.1.1
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines 6.0.0-preview
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets 5.1.0-preview
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines 4.0.0-preview
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets 3.1.0-preview
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. [Preview]: Secure Boot should be enabled on supported Windows virtual machines 4.0.0-preview
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. [Preview]: vTPM should be enabled on supported virtual machines 2.0.0-preview
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. Managed disks should be double encrypted with both platform-managed and customer-managed keys 1.0.0
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. OS and data disks should be encrypted with a customer-managed key 3.0.0
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. Virtual machines and virtual machine scale sets should have encryption at host enabled 1.0.0
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
U.12.1 Interfaces - Network connections U.12.1 In connection points with external or untrusted zones, measures are taken against attacks. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
U.12.1 Interfaces - Network connections U.12.1 In connection points with external or untrusted zones, measures are taken against attacks. IP Forwarding on your virtual machine should be disabled 3.0.0
U.12.2 Interfaces - Network connections U.12.2 Network components are such that network connections between trusted and untrusted networks are limited. All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
U.12.2 Interfaces - Network connections U.12.2 Network components are such that network connections between trusted and untrusted networks are limited. IP Forwarding on your virtual machine should be disabled 3.0.0
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Dependency agent should be enabled for listed virtual machine images 2.0.0
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images 2.0.0
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Guest Configuration extension should be installed on your machines 1.0.3
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
U.15.3 Logging and monitoring - Events logged U.15.3 CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
U.15.3 Logging and monitoring - Events logged U.15.3 CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. Dependency agent should be enabled for listed virtual machine images 2.0.0
U.15.3 Logging and monitoring - Events logged U.15.3 CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images 2.0.0
U.15.3 Logging and monitoring - Events logged U.15.3 CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
U.17.1 Multi-tenant architecture - Encrypted U.17.1 CSC data on transport and at rest is encrypted. Audit virtual machines without disaster recovery configured 1.0.0
U.17.1 Multi-tenant architecture - Encrypted U.17.1 CSC data on transport and at rest is encrypted. Azure Backup should be enabled for Virtual Machines 3.0.0

PCI DSS 3.2.1

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 1 1.3.2 PCI DSS requirement 1.3.2 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Requirement 1 1.3.4 PCI DSS requirement 1.3.4 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Requirement 10 10.5.4 PCI DSS requirement 10.5.4 Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Requirement 11 11.2.1 PCI DSS requirement 11.2.1 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 11 11.2.1 PCI DSS requirement 11.2.1 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 11 11.2.1 PCI DSS requirement 11.2.1 System updates should be installed on your machines 4.0.0
Requirement 11 11.2.1 PCI DSS requirement 11.2.1 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 3 3.4 PCI DSS requirement 3.4 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Requirement 4 4.1 PCI DSS requirement 4.1 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Requirement 5 5.1 PCI DSS requirement 5.1 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 5 5.1 PCI DSS requirement 5.1 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 5 5.1 PCI DSS requirement 5.1 System updates should be installed on your machines 4.0.0
Requirement 5 5.1 PCI DSS requirement 5.1 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 6 6.2 PCI DSS requirement 6.2 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 6 6.2 PCI DSS requirement 6.2 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 6 6.2 PCI DSS requirement 6.2 System updates should be installed on your machines 4.0.0
Requirement 6 6.2 PCI DSS requirement 6.2 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 6 6.5.3 PCI DSS requirement 6.5.3 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Requirement 6 6.6 PCI DSS requirement 6.6 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 6 6.6 PCI DSS requirement 6.6 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 6 6.6 PCI DSS requirement 6.6 System updates should be installed on your machines 4.0.0
Requirement 6 6.6 PCI DSS requirement 6.6 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Requirement 8 8.2.3 PCI DSS requirement 8.2.3 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Requirement 8 8.2.5 PCI DSS requirement 8.2.5 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0

PCI DSS v4.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 01: Install and Maintain Network Security Controls 1.3.2 Network access to and from the cardholder data environment is restricted All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Requirement 01: Install and Maintain Network Security Controls 1.4.2 Network connections between trusted and untrusted networks are controlled All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data 10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data 10.3.3 Audit logs are protected from destruction and unauthorized modifications Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Requirement 11: Test Security of Systems and Networks Regularly 11.3.1 External and internal vulnerabilities are regularly identified, prioritized, and addressed A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 11: Test Security of Systems and Networks Regularly 11.3.1 External and internal vulnerabilities are regularly identified, prioritized, and addressed Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 11: Test Security of Systems and Networks Regularly 11.3.1 External and internal vulnerabilities are regularly identified, prioritized, and addressed System updates should be installed on your machines 4.0.0
Requirement 11: Test Security of Systems and Networks Regularly 11.3.1 External and internal vulnerabilities are regularly identified, prioritized, and addressed Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 03: Protect Stored Account Data 3.5.1 Primary account number (PAN) is secured wherever it is stored Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.1 Malicious software (malware) is prevented, or detected and addressed A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.1 Malicious software (malware) is prevented, or detected and addressed Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.1 Malicious software (malware) is prevented, or detected and addressed System updates should be installed on your machines 4.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.1 Malicious software (malware) is prevented, or detected and addressed Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.2 Malicious software (malware) is prevented, or detected and addressed A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.2 Malicious software (malware) is prevented, or detected and addressed Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.2 Malicious software (malware) is prevented, or detected and addressed System updates should be installed on your machines 4.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.2 Malicious software (malware) is prevented, or detected and addressed Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.3 Malicious software (malware) is prevented, or detected and addressed A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.3 Malicious software (malware) is prevented, or detected and addressed Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.3 Malicious software (malware) is prevented, or detected and addressed System updates should be installed on your machines 4.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.3 Malicious software (malware) is prevented, or detected and addressed Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.2.4 Bespoke and custom software are developed securely Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Requirement 06: Develop and Maintain Secure Systems and Software 6.3.3 Security vulnerabilities are identified and addressed A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.3.3 Security vulnerabilities are identified and addressed Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.3.3 Security vulnerabilities are identified and addressed System updates should be installed on your machines 4.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.3.3 Security vulnerabilities are identified and addressed Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.4.1 Public-facing web applications are protected against attacks A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.4.1 Public-facing web applications are protected against attacks Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.4.1 Public-facing web applications are protected against attacks System updates should be installed on your machines 4.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.4.1 Public-facing web applications are protected against attacks Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities 4.1.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity 4.1.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords 2.1.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Audit Windows machines that do not have the maximum password age set to specified number of days 2.1.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Audit Windows machines that do not restrict the minimum password length to specified number of characters 2.1.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.3.6 Strong authentication for users and administrators is established and managed Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs 1.2.0

Reserve Bank of India - IT Framework for NBFC

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
IT Governance 1 IT Governance-1 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
IT Governance 1 IT Governance-1 SQL servers on machines should have vulnerability findings resolved 1.0.0
IT Governance 1 IT Governance-1 System updates on virtual machine scale sets should be installed 3.0.0
IT Governance 1 IT Governance-1 System updates should be installed on your machines 4.0.0
IT Governance 1 IT Governance-1 Vulnerabilities in container security configurations should be remediated 3.0.0
IT Governance 1 IT Governance-1 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
IT Governance 1 IT Governance-1 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
IT Governance 1.1 IT Governance-1.1 IP Forwarding on your virtual machine should be disabled 3.0.0
IT Governance 1.1 IT Governance-1.1 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
IT Governance 1.1 IT Governance-1.1 Management ports should be closed on your virtual machines 3.0.0
IT Policy 2 IT Policy-2 Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
IT Policy 2 IT Policy-2 Allowlist rules in your adaptive application control policy should be updated 3.0.0
Information and Cyber Security 3.1.b Segregation of Functions-3.1 [Preview]: Secure Boot should be enabled on supported Windows virtual machines 4.0.0-preview
Information and Cyber Security 3.1.b Segregation of Functions-3.1 [Preview]: vTPM should be enabled on supported virtual machines 2.0.0-preview
Information and Cyber Security 3.1.b Segregation of Functions-3.1 Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Information and Cyber Security 3.1.c Role based Access Control-3.1 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Information and Cyber Security 3.1.g Trails-3.1 [Preview]: Log Analytics Extension should be enabled for listed virtual machine images 2.0.1-preview
Information and Cyber Security 3.1.g Trails-3.1 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Information and Cyber Security 3.1.g Trails-3.1 [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Information and Cyber Security 3.1.g Trails-3.1 Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring 1.0.0
Information and Cyber Security 3.1.g Trails-3.1 Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Information and Cyber Security 3.1.g Trails-3.1 Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Information and Cyber Security 3.1.g Trails-3.1 The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Information and Cyber Security 3.1.g Trails-3.1 Virtual machines should have the Log Analytics extension installed 1.0.1
Information and Cyber Security 3.1.h Public Key Infrastructure (PKI)-3.1 Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption 2.0.0
Information and Cyber Security 3.1.h Public Key Infrastructure (PKI)-3.1 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Information and Cyber Security 3.3 Vulnerability Management-3.3 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 SQL servers on machines should have vulnerability findings resolved 1.0.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 System updates on virtual machine scale sets should be installed 3.0.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 System updates should be installed on your machines 4.0.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 Vulnerabilities in container security configurations should be remediated 3.0.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
IT Operations 4.2 IT Operations-4.2 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
IT Operations 4.4.a IT Operations-4.4 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
IT Operations 4.4.b MIS For Top Management-4.4 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
IS Audit 5 Policy for Information System Audit (IS Audit)-5 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
IS Audit 5 Policy for Information System Audit (IS Audit)-5 Internet-facing virtual machines should be protected with network security groups 3.0.0
IS Audit 5 Policy for Information System Audit (IS Audit)-5 IP Forwarding on your virtual machine should be disabled 3.0.0
IS Audit 5 Policy for Information System Audit (IS Audit)-5 Non-internet-facing virtual machines should be protected with network security groups 3.0.0
IS Audit 5.2 Coverage-5.2 Azure Backup should be enabled for Virtual Machines 3.0.0
Business Continuity Planning 6 Business Continuity Planning (BCP) and Disaster Recovery-6 Audit virtual machines without disaster recovery configured 1.0.0
Business Continuity Planning 6 Business Continuity Planning (BCP) and Disaster Recovery-6 Azure Backup should be enabled for Virtual Machines 3.0.0
Business Continuity Planning 6.2 Recovery strategy / Contingency Plan-6.2 Audit virtual machines without disaster recovery configured 1.0.0
Business Continuity Planning 6.2 Recovery strategy / Contingency Plan-6.2 Azure Backup should be enabled for Virtual Machines 3.0.0
Business Continuity Planning 6.3 Recovery strategy / Contingency Plan-6.3 Azure Backup should be enabled for Virtual Machines 3.0.0
Business Continuity Planning 6.4 Recovery strategy / Contingency Plan-6.4 Audit virtual machines without disaster recovery configured 1.0.0

Reserve Bank of India IT Framework for Banks v2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines 6.0.0-preview
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets 5.1.0-preview
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines 4.0.0-preview
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets 3.1.0-preview
Network Management And Security Network Inventory-4.2 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines 1.0.2-preview
Network Management And Security Network Inventory-4.2 [Preview]: Network traffic data collection agent should be installed on Windows virtual machines 1.0.2-preview
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 [Preview]: Secure Boot should be enabled on supported Windows virtual machines 4.0.0-preview
Network Management And Security Network Device Configuration Management-4.3 [Preview]: vTPM should be enabled on supported virtual machines 2.0.0-preview
Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.1 A vulnerability assessment solution should be enabled on your virtual machines 3.0.0
Network Management And Security Network Inventory-4.2 Adaptive application controls for defining safe applications should be enabled on your machines 3.0.0
Network Management And Security Network Device Configuration Management-4.3 Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Network Management And Security Network Device Configuration Management-4.3 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Network Management And Security Network Inventory-4.2 Allowlist rules in your adaptive application control policy should be updated 3.0.0
Incident Response & Management Recovery From Cyber - Incidents-19.4 Audit virtual machines without disaster recovery configured 1.0.0
Authentication Framework For Customers Authentication Framework For Customers-9.1 Authentication to Linux machines should require SSH keys 3.2.0
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.3 Azure Backup should be enabled for Virtual Machines 3.0.0
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 Endpoint protection health issues should be resolved on your machines 1.0.0
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 Endpoint protection should be installed on your machines 1.0.0
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 Endpoint protection solution should be installed on virtual machine scale sets 3.0.0
Audit Log Settings Audit Log Settings-17.1 Guest Configuration extension should be installed on your machines 1.0.3
Secure Configuration Secure Configuration-5.2 Hotpatch should be enabled for Windows Server Azure Edition VMs 1.0.0
Network Management And Security Network Device Configuration Management-4.3 Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Management And Security Network Device Configuration Management-4.3 IP Forwarding on your virtual machine should be disabled 3.0.0
Audit Log Settings Audit Log Settings-17.1 Linux machines should meet requirements for the Azure compute security baseline 2.2.0
Maintenance, Monitoring, And Analysis Of Audit Logs Maintenance, Monitoring, And Analysis Of Audit Logs-16.3 Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring 1.0.0
Network Management And Security Network Device Configuration Management-4.3 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Network Management And Security Network Device Configuration Management-4.3 Management ports should be closed on your virtual machines 3.0.0
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 Monitor missing Endpoint Protection in Azure Security Center 3.0.0
Network Management And Security Network Device Configuration Management-4.3 Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Preventing Execution Of Unauthorised Software Security Update Management-2.3 SQL servers on machines should have vulnerability findings resolved 1.0.0
Preventing Execution Of Unauthorised Software Security Update Management-2.3 System updates on virtual machine scale sets should be installed 3.0.0
Preventing Execution Of Unauthorised Software Security Update Management-2.3 System updates should be installed on your machines 4.0.0
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.1 Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.4 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
User Access Control / Management User Access Control / Management-8.4 Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Preventing Execution Of Unauthorised Software Security Update Management-2.3 Vulnerabilities in container security configurations should be remediated 3.0.0
Preventing Execution Of Unauthorised Software Security Update Management-2.3 Vulnerabilities in security configuration on your machines should be remediated 3.1.0
Preventing Execution Of Unauthorised Software Security Update Management-2.3 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Secure Configuration Secure Configuration-5.1 Windows Defender Exploit Guard should be enabled on your machines 2.0.0
Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 Windows machines should be configured to use secure communication protocols 4.1.1
Audit Log Settings Audit Log Settings-17.1 Windows machines should meet requirements of the Azure compute security baseline 2.0.0

RMIT Malaysia

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Datacenter Operations 10.27 Datacenter Operations - 10.27 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets 3.1.0
Datacenter Operations 10.27 Datacenter Operations - 10.27 Virtual machines should be migrated to new Azure Resource Manager resources 1.0.0
Datacenter Operations 10.30 Datacenter Operations - 10.30 Azure Backup should be enabled for Virtual Machines 3.0.0
Network Resilience 10.33 Network Resilience - 10.33 All network ports should be restricted on network security groups associated to your virtual machine 3.0.0
Network Resilience 10.33 Network Resilience - 10.33 Configure managed disks to disable public network access 2.0.0
Network Resilience 10.33 Network Resilience - 10.33 Internet-facing virtual machines should be protected with network security groups 3.0.0
Network Resilience 10.33 Network Resilience - 10.33 IP Forwarding on your virtual machine should be disabled 3.0.0
Network Resilience 10.33 Network Resilience - 10.33 Managed disks should disable public network access 2.0.0
Network Resilience 10.33 Network Resilience - 10.33 Non-internet-facing virtual machines should be protected with network security groups 3.0.0
Network Resilience 10.33 Network Resilience - 10.33 Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.0.3
Network Resilience 10.35 Network Resilience - 10.35 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets 3.1.0
Cloud Services 10.49 Cloud Services - 10.49 Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Cloud Services 10.49 Cloud Services - 10.49 Management ports should be closed on your virtual machines 3.0.0
Cloud Services 10.51 Cloud Services - 10.51 Adaptive network hardening recommendations should be applied on internet facing virtual machines 3.0.0
Cloud Services 10.51 Cloud Services - 10.51 Audit virtual machines without disaster recovery configured 1.0.0
Cloud Services 10.53 Cloud Services - 10.53 Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption 2.0.0
Cloud Services 10.53 Cloud Services - 10.53 OS and data disks should be encrypted with a customer-managed key 3.0.0
Access Control 10.54 Access Control - 10.54 Guest Configuration extension should be installed on your machines 1.0.3
Access Control 10.54 Access Control - 10.54 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control 10.54 Access Control - 10.54 Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Access Control 10.61 Access Control - 10.61 Guest Configuration extension should be installed on your machines 1.0.3
Access Control 10.61 Access Control - 10.61 Management ports of virtual machines should be protected with just-in-time network access control 3.0.0
Access Control 10.61 Access Control - 10.61 Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity 1.0.1
Patch and End-of-Life System Management 10.63 Patch and End-of-Life System Management - 10.63 Microsoft Antimalware for Azure should be configured to automatically update protection signatures 1.0.0
Patch and End-of-Life System Management 10.63 Patch and End-of-Life System Management - 10.63 System updates on virtual machine scale sets should be installed 3.0.0
Patch and End-of-Life System Management 10.65 Patch and End-of-Life System Management - 10.65 System updates should be installed on your machines 4.0.0
Patch and End-of-Life System Management 10.65 Patch and End-of-Life System Management - 10.65 Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3.0.0
Security of Digital Services 10.66 Security of Digital Services - 10.66 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines 3.1.0
Security of Digital Services 10.66 Security of Digital Services - 10.66 Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images 2.0.1
Security of Digital Services 10.66 Security of Digital Services - 10.66 The Log Analytics extension should be installed on Virtual Machine Scale Sets 1.0.1
Security of Digital Services 10.66 Security of Di