×
Search results provided by Azure Search - read how I built it in this post.
Max Melcher

69 minute read

As of writing this post (August 8th, 2019) there are 159 Azure Policies available and 111 are in preview (and 27 deprecated). In this post I try to come up with a decent set of ‘common sense’ policies that can prevent data leaks or other issues, I focus primarily on security-related policies. Some of them are so essential, that I would always recommend to enable them - some of them are very specific, so let us use the old consultant wisdom: “it depends”!

This post assumes that you are aware of the Azure Policy capabilities - if not, please read the excellent overview first. Azure Policy should be a critical component of ever Azure Governance implementation - combined with Azure Management Groups, Blueprints and Cost Management it is really a big enabler.

Available Azure Policies

The following tables contains all the policies that are available for production environments - and removed all that started with [Deprecated], 27 as of now. I used a simple powershell script that exports the available policies so I can use them in this post. Scroll all the way down if you want to see my recommendation or the custom policies I would add. It took me a month to finish this post, 10 new policies moved from preview to production and 60 new policies are available for preview.

Name Description
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.
Access through Internet facing endpoint should be restricted Azure Security center has identified some of your Network Security Groups’ inbound rules to be too permissive. Inbound rules should not allow access from ‘Any’ or ‘Internet’ ranges. This can potentially enable attackers to easily target your resources.
Adaptive Application Controls should be enabled on virtual machines Possible Application Whitelist configuration will be monitored by Azure Security Center
Advanced data security settings for SQL managed instance should contain an email address to receive security alerts Ensure that an email address is provided for the ‘Send alerts to’ field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL managed instances.
Advanced data security settings for SQL server should contain an email address to receive security alerts Ensure that an email address is provided for the ‘Send alerts to’ field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers.
Advanced data security should be enabled on your SQL managed instances Audit SQL managed instances without Advanced Data Security
Advanced data security should be enabled on your SQL servers Audit SQL servers without Advanced Data Security
Advanced Threat Protection types should be set to ‘All’ in SQL managed instance Advanced Data Security settings It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.
Advanced Threat Protection types should be set to ‘All’ in SQL server Advanced Data Security settings It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace Event Hub clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues and topics to provide access to only the specific entity
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace. To align with the least privilege security model, you shoud create access policies at the entity level for queues and topics to provide access to only the specific entity
Allow resource creation if ‘department’ tag set Allows resource creation only if the ‘department’ tag is set
Allow resource creation if ‘environment’ tag value in allowed values Allows resource creation if the ‘environment’ tag is set to one of the following values: production, dev, test, staging
Allow resource creation only in Asia data centers Allows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West
Allow resource creation only in European data centers Allows resource creation in the following locations only: North Europe, West Europe
Allow resource creation only in India data centers Allows resource creation in the following locations only: West India, South India, Central India
Allow resource creation only in Japan data centers Allows resource creation in the following locations only: Japan East, Japan West
Allow resource creation only in Japan data centers Allows resource creation in the following locations only: Japan East, Japan West
Allow resource creation only in United States data centers Allows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US
Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the ‘global’ region.
Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements.
Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support ‘tags’ and ‘location’ will be affected by this policy. To restrict all resources please duplicate this policy and change the ‘mode’ to ‘All’.
Allowed storage account SKUs This policy enables you to specify a set of storage account SKUs that your organization can deploy.
Allowed virtual machine SKUs This policy enables you to specify a set of virtual machine SKUs that your organization can deploy.
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services
API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Append tag and its default value Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups.
Append tag and its default value to resource groups Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed.
Append tag and its value from the resource group Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed.
Audit diagnostic setting Audit diagnostic setting for selected resource types
Audit Linux VMs that do not have the specified applications installed This policy audits Linux virtual machines that do not have the specified applications installed. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Linux VMs that have the specified applications installed This policy audits Linux virtual machines that have the specified applications installed. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit resource location matches resource group location Audit that the resource location matches its resource group location
Audit SQL DB Level Audit Setting Audit DB level audit setting for SQL databases
Audit unrestricted network access to storage accounts Audit unrestricted network access in your storage account firewall settings. Instead, configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges
Audit usage of custom RBAC rules Audit built-in roles such as ‘Owner, Contributer, Reader’ instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks
Audit Windows Server VMs on which Windows Serial Console is not enabled This policy audits Windows Server virtual machines on which Windows Serial Console is not enabled. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs in which the Administrators group contains any of the specified members This policy audits Windows virtual machines in which the Administrators group contains any of the specified members. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs in which the Administrators group does not contain all of the specified members This policy audits Windows virtual machines in which the Administrators group does not contain all of the specified members. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs in which the Administrators group does not contain only the specified members This policy audits Windows virtual machines in which the Administrators group does not contain only the specified members. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs on which the specified services are not installed and ‘Running’ This policy audits Windows virtual machines on which the specified services are not installed and ‘Running’. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs that are not joined to the specified domain This policy audits Windows virtual machines that are not joined to the specified domain. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs that are not set to the specified time zone This policy audits Windows virtual machines that are not set to the specified time zone. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs that do not have the specified applications installed This policy audits Windows virtual machines that do not have the specified applications installed. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs that do not have the specified Windows PowerShell execution policy This policy audits Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs that do not have the specified Windows PowerShell modules installed This policy audits Windows virtual machines that do not have the specified Windows PowerShell modules installed. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs that have the specified applications installed This policy audits Windows virtual machines that have the specified applications installed. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows VMs with a pending reboot This policy audits Windows virtual machines with a pending reboot. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Audit Windows web servers that are not using secure communication protocols This policy audits Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Auditing should be enabled on advanced data security settings on SQL Server Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
Authorization rules on the Event Hub instance should be defined Audit existence of authorization rules on Event Hub entities to grant least-privileged access
Automatic provisioning of security monitoring agent Installs security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center.
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data
Azure Marketplace Policy Govern usage of Azure Marketplace resources
Blacklisted Software This policy checks if a given software is installed
CORS should not allow every resource to access your API App Cross origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.
CORS should not allow every resource to access your Function App Cross origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.
CORS should not allow every resource to access your Web Application Cross origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.
DDoS Protection Standard should be enabled DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.
Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a ‘sqlva’ prefix.
Deploy Advanced Threat Protection on Storage Accounts This policy enables Advanced Threat Protection on Storage Accounts.
Deploy Auditing on SQL servers This policy ensures that Auditing is enabled on SQL Servers for enhanced security and compliance. It will automatically create a storage account in the same region as the SQL server to store audit records.
Deploy default Log Analytics Agent for Ubuntu VMs This policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace
Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.
Deploy Diagnostic Settings for Azure SQL Database to Event Hub Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated.
Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated.
Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name ‘{storagePrefixParameter}{NSGLocation}’ will be automatically created.
Deploy network watcher when virtual networks are created This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.
Deploy requirements to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows Server VMs on which Windows Serial Console is not enabled This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs in which the Administrators group contains any of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs in which the Administrators group does not contain all of the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs in which the Administrators group does not contain only the specified members This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs on which the specified services are not installed and ‘Running’ This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and ‘Running’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs that are not joined to the specified domain This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs that are not set to the specified time zone This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs that do not have the specified Windows PowerShell execution policy This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs that do not have the specified Windows PowerShell modules installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows VMs with a pending reboot This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy requirements to audit Windows web servers that are not using secure communication protocols This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases
Deploy Threat Detection on SQL servers This policy ensures that Threat Detection is enabled on SQL Servers.
Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised
Diagnostic logs in Azure Data Lake Store should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Azure Stream Analytics should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Batch accounts should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Data Lake Analytics should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Event Hub should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in IoT Hub should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Key Vault should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Logic Apps should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Search services should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Service Bus should be enabled Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised
Diagnostic logs in Virtual Machine Scale Sets should be enabled It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise.
Disk encryption should be applied on virtual machines VMs without an enabled disk encryption will be monitored by Azure Security Center as recommendations
Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings Audit that ‘email notification to admins and subscription owners’ is enabled in the SQL managed instance advanced threat protection settings. This ensures that any detections of anomalous activities on SQL managed instance are reported as soon as possible to the admins.
Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings Audit that ‘email notification to admins and subscription owners’ is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins.
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.
Enforce SSL connection should be enabled for MySQL database servers This policy audits any MySQL server that is not enforcing SSL connection. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ‘man in the middle’ attacks by encrypting the data stream between the server and your application.
Enforce SSL connection should be enabled for PostgreSQL database servers This policy audits any PostgreSQL server that is not enforcing SSL connection. Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against ‘man-in-the-middle’ attacks by encrypting the data stream between the server and your application
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.
Function App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Gateway subnets should not be configured with a network security group This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.
Just-In-Time network access control should be applied on virtual machines Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations
Key Vault objects should be recoverable This policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. When ‘Purge protection’ is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention policy will be followed.
Management ports should be closed on your virtual machines Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.
Metric alert rules should be configured on Batch accounts Audit configuration of metric alert rules on Batch account to enable the required metric
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations
Monitor unaudited SQL servers in Azure Security Center SQL servers which don’t have SQL auditing turned on will be monitored by Azure Security Center as recommendations
Monitor unencrypted SQL databases in Azure Security Center Unencrypted SQL databases will be monitored by Azure Security Center as recommendations
Network interfaces should disable IP forwarding This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure’s check of the source and destination for a network interface. This should be reviewed by the network security team.
Network interfaces should not have public IPs This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team.
Network Security Group Rules for Internet facing virtual machines should be hardened Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface
Not allowed resource types This policy enables you to specify the resource types that your organization cannot deploy.
Only secure connections to your Redis Cache should be enabled Audit enabling of only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Remote debugging should be turned off for API App Remote debugging requires inbound ports to be opened on an API app. Remote debugging should be turned off.
Remote debugging should be turned off for Function App Remote debugging requires inbound ports to be opened on an function app. Remote debugging should be turned off.
Remote debugging should be turned off for Web Application Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.
Require automatic OS image patching on Virtual Machine Scale Sets This policy enforces enabling automatic OS image patching on Virtual Machine Scale Sets to always keep Virtual Machines secure by safely applying latest security patches every month.
Require encryption on Data Lake Store accounts This policy ensures encryption is enabled on all Data Lake Store accounts
Require specified tag Enforces existence of a tag. Does not apply to resource groups.
Require specified tag on resource groups Enforces existence of a tag on resource groups.
Require SQL Server version 12.0 This policy ensures all SQL servers use version 12.0
Require tag and its value Enforces a required tag and its value. Does not apply to resource groups.
Require tag and its value on resource groups Enforces a required tag and its value on resource groups.
Secure transfer to storage accounts should be enabled Audit requirment of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed
Service Fabric clusters should only use Azure Active Directory for client authentication Audit usage of client authentication only via Azure Active Directory in Service Fabric
SQL Auditing settings should have Action-Groups configured to capture critical activities The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging
SQL managed instance TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
SQL server TDE protector should be encrypted with your own key Transparent Data Encryption (TDE) with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
SQL servers should be configured with auditing retention days greater than 90 days. Audit SQL servers configured with an auditing retention period of less than 90 days.
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.
System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations
The NSGs rules for web applications on IaaS should be hardened Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy.
Transparent Data Encryption on SQL databases should be enabled Audit transparent data encryption status for SQL databases
Virtual machines should be associated with a Network Security Group Protect your VM from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM from other instances, in or outside the same subnet.
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center.
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks.
Vulnerabilities on your SQL databases should be remediated Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities.
Vulnerabilities should be remediated by a Vulnerability Assessment solution Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations.
Vulnerability assessment should be enabled on your SQL managed instances Audit SQL managed instances which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.
Web Application should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Preview Policies

And the following policies are not yet supported for production:

Name Description
[Preview]: Access to App Services should be restricted Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad
[Preview]: Audit application inside Windows VMs must NOT be present This policy will audit instances of applications running inside Windows virtual machines, to verify that the application does not exist.
[Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated.
[Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated.
[Preview]: Audit Linux VMs that allow remote connections from accounts without passwords This policy audits Linux virtual machines that allow remote connections from accounts without passwords. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Linux VMs that do not have the passwd file permissions set to 0644 This policy audits Linux virtual machines that do not have the passwd file permissions set to 0644. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Linux VMs that have accounts without passwords This policy audits Linux virtual machines that have accounts without passwords. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated.
[Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted Reports VMSS as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated.
[Preview]: Audit Log Analytics Workspace for VM - Report Mismatch Reports VMs as non-compliant if they not logging to the LA workspace specified in the policy/initiative assignment.
[Preview]: Audit Windows VMs on which the DSC configuration is not compliant This policy audits Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs on which the Log Analytics agent is not connected as expected This policy audits Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. This policy should only be used along with its corresponding deploy policy in an initiative/policy set. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs on which the remote host connection status does not match the specified one This policy audits Windows virtual machines on which the remote host connection status does not match the specified one. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled This policy audits Windows virtual machines on which Windows Defender Exploit Guard is not enabled. This policy should only be used along with its corresponding deploy policy in an initiative/policy set. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that allow re-use of the previous 24 passwords This policy audits Windows virtual machines that allow re-use of the previous 24 passwords. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that contain certificates expiring within the specified number of days This policy audits Windows virtual machines that contain certificates expiring within the specified number of days. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that do not contain the specified certificates in Trusted Root This policy audits Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that do not have a maximum password age of 70 days This policy audits Windows virtual machines that do not have a maximum password age of 70 days. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that do not have a minimum password age of 1 day This policy audits Windows virtual machines that do not have a minimum password age of 1 day. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that do not have the password complexity setting enabled This policy audits Windows virtual machines that do not have the password complexity setting enabled. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that do not restrict the minimum password length to 14 characters This policy audits Windows virtual machines that do not restrict the minimum password length to 14 characters. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that do not store passwords using reversible encryption This policy audits Windows virtual machines that do not store passwords using reversible encryption. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Audit Windows VMs that have not restarted within the specified number of days This policy audits Windows virtual machines that have not restarted within the specified number of days. This policy should only be used along with its corresponding deploy policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Authorized IP ranges should be defined on Kubernetes Services Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.
[Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS) Deploy Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.
[Preview]: Deploy Dependency Agent for Linux VMs Deploy Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed.
[Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS) Deploy Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.
[Preview]: Deploy Dependency Agent for Windows VMs Deploy Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated.
[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS) Deploy Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.
[Preview]: Deploy Log Analytics Agent for Linux VMs Deploy Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed.
[Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS) Deploy Log Analytics Agent for Windows VM Scale Sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.
[Preview]: Deploy Log Analytics Agent for Windows VMs Deploy Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated.
[Preview]: Deploy requirements to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates - Control Panel’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Administrative Templates - Control Panel’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates - Network’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Administrative Templates - Network’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates - System’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Administrative Templates - System’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Adminstrative Templates - MSS (Legacy)’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Adminstrative Templates - MSS (Legacy)’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Accounts’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Accounts’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Audit’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Audit’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Devices’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Devices’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Interactive Logon’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Interactive Logon’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Microsoft Network Client’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Microsoft Network Client’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Microsoft Network Server’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Microsoft Network Server’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Network Access’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Network Access’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Network Security’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Network Security’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Recovery console’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Recovery console’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - Shutdown’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Shutdown’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - System objects’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - System objects’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - System settings’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - System settings’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Options - User Account Control’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - User Account Control’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Security Settings - Account Policies’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Settings - Account Policies’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies - Account Logon’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Account Logon’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies - Account Management’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Account Management’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies - Detailed Tracking’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Detailed Tracking’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies - Logon-Logoff’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Logon-Logoff’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies - Object Access’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Object Access’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies - Policy Change’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Policy Change’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies - Privilege Use’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Privilege Use’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies - System’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - System’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘User Rights Assignment’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘User Rights Assignment’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Windows Components’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Windows Components’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs configurations in ‘Windows Firewall Properties’ This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: ‘Windows Firewall Properties’. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs on which the DSC configuration is not compliant This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs on which the Log Analytics agent is not connected as expected This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative/policy set. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs on which the remote host connection status does not match the specified one This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs on which Windows Defender Exploit Guard is not enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative/policy set. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that allow re-use of the previous 24 passwords This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that contain certificates expiring within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that do not contain the specified certificates in Trusted Root This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that do not have a maximum password age of 70 days This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that do not have a minimum password age of 1 day This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that do not have the password complexity setting enabled This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that do not restrict the minimum password length to 14 characters This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that do not store passwords using reversible encryption This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Deploy requirements to audit Windows VMs that have not restarted within the specified number of days This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine’s NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.
[Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+
[Preview]: Pod Security Policies should be defined on Kubernetes Services Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.
[Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.
[Preview]: Sensitive data in your SQL databases should be classified Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security
[Preview]: Show audit results from Windows VMs configurations in ‘Administrative Templates - Control Panel’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Administrative Templates - Control Panel’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Administrative Templates - Network’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Administrative Templates - Network’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Administrative Templates - System’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Administrative Templates - System’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Adminstrative Templates - MSS (Legacy)’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Adminstrative Templates - MSS (Legacy)’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Accounts’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Accounts’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Audit’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Audit’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Devices’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Devices’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Interactive Logon’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Interactive Logon’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Microsoft Network Client’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Microsoft Network Client’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Microsoft Network Server’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Microsoft Network Server’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Network Access’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Network Access’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Network Security’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Network Security’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Recovery console’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Recovery console’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - Shutdown’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - Shutdown’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - System objects’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - System objects’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - System settings’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - System settings’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Options - User Account Control’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Options - User Account Control’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Security Settings - Account Policies’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Security Settings - Account Policies’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘System Audit Policies - Account Logon’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Account Logon’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘System Audit Policies - Account Management’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Account Management’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘System Audit Policies - Detailed Tracking’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Detailed Tracking’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘System Audit Policies - Logon-Logoff’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Logon-Logoff’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘System Audit Policies - Object Access’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Object Access’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘System Audit Policies - Policy Change’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Policy Change’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘System Audit Policies - Privilege Use’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - Privilege Use’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘System Audit Policies - System’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘System Audit Policies - System’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘User Rights Assignment’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘User Rights Assignment’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Windows Components’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Windows Components’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol
[Preview]: Show audit results from Windows VMs configurations in ‘Windows Firewall Properties’ This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: ‘Windows Firewall Properties’. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Recommendation

The following 12 out-of-the-box policies belong to my favorites - I selected them with a typical “large enterprise central IT hub & spoke” setup in mind and do not cover specific cases, more the general hardening and guidance if you delegate subscriptions to business departments: Imagine you would have to secure the spokes without having direct access to it and still want to provide the business units with the flexibility and power of Azure. If you are in doubt if the policy guides the users or blocks them, start with an audit effect so you can assess the impact first and talk to the users that would be affected. Security and Governance is never a one-man-show and there are always scenarios that you could not come up with. Cloud-native governance must give you control but still ensures the speed of the business - having a traditional ‘get an approval first’ process before someone can do something is not the way it should be, right?

A maximum of 3 owners should be designated for your subscription & There should be more than one owner assigned to your subscription

‘Too many cooks spoil the broth’ - if there are too many owners, who owns? Same applies to ‘only one’ owner. So it should be 2-3 owners, not more, not less.

Access through Internet facing endpoint should be restricted

Permissive NSGs or lack of Azure firewalls are potential entry points - secure that boundary.

Allow resource creation if ‘environment’ tag value in allowed values

Specifying if a resource is crucial or not can be super important. So having this policy in place enables transparency of what it dev, test or production. I would go a little further and combine the policy with resource locks. When a resource is flagged for production, there should be resource lock that prevents deletion - the policy should configured with an audit effect.

There are other ‘Allow if tag value is set’ policies - depending on your scenario, they are worth a look!

Allowed locations

Typically there are agreed locations that can be used - prevent resource creation in other places. Ensure that the regions with availability zones are included - and do not forget the paired regions for disaster recovery.

Audit virtual machines without disaster recovery configured

That is a great policy. At least for all production VMs there should be Azure Size Recovery configured so that you can recover to a secondary region (I like the idea to combine it with further tags to have the policy more specific).

Audit VMs that do not use managed disks

It would discuss all usages of unmanged disks - if you create a new workload, I would use managed disks everywhere.

Function App should only be accessible over HTTPS

What could be the reason to make a function available un-encrypted? Guide and ensure everyone to have them encrypted.

MFA should be enabled on accounts with owner permissions on your subscription

With great power comes great responsibility - and these people have to be protected. “81 percent of successful cyberattacks begin with a compromised username and password”, if MFA is an option for you, enforce it.

Secure transfer to storage accounts should be enabled

When I started to write this post, I thought this is a no-brainer. There is always an exception to the rule, right?

Web Application should only be accessible over HTTPS

Again, always have HTTPS for traffic - see https://doesmysiteneedhttps.com/

[Preview]: Audit Linux VMs that have accounts without passwords

No password, really!? It makes a login really easy but it should not. This policy is in preview as of now, so no production-usage!

[Preview]: Audit Windows VMs that contain certificates expiring within the specified number of days

Where has this been all my life? I have seen so many production outages because of expiring certificates. A central place to audit this is great. This policy is in preview as of now, so no production-usage!

Custom Policies I would add

You can create and adjust the policies to your needs, and that is really the strength of the platform. There are already a lot of examples available in the Azure Policy repository, I typically start with them.

So in certain cases I would recommend the following:

  1. Regulate Azure Marketplace, see example in my post “AZURE GOVERNANCE: GOVERN THE AZURE MARKETPLACE WITH AZURE POLICY
  2. No public IP for VMs. See the “Only Allow public IP in specific subnets” example and adjust it. This has huge impact to many services, start with AUDIT effect!

More

If you want to learn more about Azure Policy and Azure Governance in general, I can recommend you the following:

Summary

“Common sense is not that common” - my friend Tom Janetscheck uses in his excellent Azure Governance and Security workshops (stolen from Voltaire!). In this post I explained why I would always enable certain policies and what the impact is - if you have other ‘Azure Policy’-must-haves or questions, please let me know!

Hope it helps,
Max

comments powered by Disqus