Azure: Control Permissions
This page describe the permissions required for controls of Microsoft Azure. Enable these permissions to ensure you can view these controls in the policy tab.
Mandatory Permissions
Below are the mandatory permissions required for each control.
| Description | Permissions |
|---|---|
| Mandatory Permissions to list subscriptions (Tenant level) | Microsoft.Management/managementGroups/subscriptions/read |
| Mandatory Permissions to list Management Groups (Tenant level) | Microsoft.Management/managementGroups/read |
| Mandatory Permissions to list the Resource Groups and Public IP Addresses | Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Network/publicIPAddresses/read |
Control Permissions
| ControlID | Title | Permissions |
|---|---|---|
| 50001 | Ensure that Data encryption is set to ON for a SQL database | Microsoft.Sql/servers/read Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/transparentDataEncryption/read |
| 50002 | Ensure no SQL Servers allow ingress from Internet (ANY IP) | Microsoft.Sql/servers/read Microsoft.Sql/servers/firewallRules/read |
| 50003 | Ensure that Adaptive Application Controls is set to On | Microsoft.Authorization/policyAssignments/read |
| 50004 | Ensure that Auto provisioning of Log Analytics agent for Azure VMs is set to On | Microsoft.Security/autoProvisioningSettings/read |
| 50005 | Ensure that Microsoft Defender Recommendation for Apply system updates status is Completed | Microsoft.Authorization/policyAssignments/read |
| 50006 | Ensure that Vulnerabilities in security configuration on your machines should be remediated is set to On | Microsoft.Authorization/policyAssignments/read |
| 50007 | Ensure that Monitor missing Endpoint Protection in Azure Security Center is set to On | Microsoft.Authorization/policyAssignments/read |
| 50008 | Ensure that Disk encryption should be applied on virtual machines is set to On | Microsoft.Authorization/policyAssignments/read |
| 50009 | Ensure that Network security groups is set to On | Microsoft.Authorization/policyAssignments/read |
| 50010 | Ensure that NSGs rules for web applications on IaaS should be hardened is set to ON | Microsoft.Authorization/policyAssignments/read |
| 50011 | Ensure that Secure transfer required is set to Enabled | Microsoft.Storage/storageAccounts/read |
| 50012 | Ensure that Public access level is set to Private for blob containers | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/blobServices/containers/read |
| 50013 | Ensure that default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Microsoft.Sql/servers/read Microsoft.Sql/servers/extendedAuditingSettings/read |
| 50014 | Ensure that Monitor unaudited SQL databases in Azure Security Center is set to On | Microsoft.Authorization/policyAssignments/read |
| 50015 | Ensure that Microsoft Defender for Servers is set to On | Microsoft.Security/pricings/read |
| 50016 | Ensure that Access through Internet facing endpoint should be restricted is set to On | Microsoft.Authorization/policyAssignments/read |
| 50017 | Ensure that Vulnerabilities should be remediated by a Vulnerability Assessment solution | Microsoft.Authorization/policyAssignments/read |
| 50018 | Ensure that Audit missing blob encryption for storage account is set to On | Microsoft.Authorization/policyAssignments/read |
| 50019 | Ensure that Just-In-Time network access control should be applied on virtual machines is set to On | Microsoft.Authorization/policyAssignments/read |
| 50020 | Ensure Additional email addresses is configured with a security contact email | Microsoft.Security/securityContacts/read |
| 50021 | Ensure that security contact Phone number is set | Microsoft.Security/securityContacts/read |
| 50022 | Ensure that Notify about alerts with the following severity is set to High | Microsoft.Security/securityContacts/read |
| 50023 | Ensure that All users with the following roles is set to Owner | Microsoft.Security/securityContacts/read |
| 50024 | Ensure that LogProfile for a subscription is configured properly | Microsoft.Resources/subscriptions/locations/read Microsoft.Insights/LogProfiles/Read |
| 50025 | Ensure that Monitor unencrypted SQL databases in Azure Security Center is set to On | Microsoft.Authorization/policyAssignments/read |
| 50026 | Ensure keyvault is recoverable | Microsoft.KeyVault/vaults/read |
| 50027 | Ensure SQL server Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Microsoft.Sql/servers/read Microsoft.Sql/servers/encryptionProtector/read |
| 50029 | Disable RDP access on Network Security Groups from Internet (ANY IP) | Microsoft.Network/networkSecurityGroups/read |
| 50030 | Ensure that the Expiration Date is set for all Secrets in Non RBAC Key Vaults | Microsoft.Resources/subscriptions/resources/read Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/secrets/read |
| 50031 | Disable SSH access on Network Security Groups from Internet (ANY IP) | Microsoft.Network/networkSecurityGroups/read |
| 50032 | Ensure that Unattached disks are encrypted with Customer Managed Key (CMK) | Microsoft.Compute/disks/read |
| 50033 | Ensure that all Attached VM Disks are encrypted with Customer Managed Key (CMK) | Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/instanceView/read |
| 50034 | Ensure disks are encrypted for Windows VMs with ADE version 1.1 | Microsoft.Compute/virtualMachines/read |
| 50035 | Ensure that Microsoft Entra authentication is configured for SQL Servers | Microsoft.Sql/servers/read Microsoft.Sql/servers/administrators/read |
| 50036 | Ensure that Resource Locks are set for Mission-Critical Azure Resources | Microsoft.Authorization/locks/read |
| 50037 | Ensure to enable Virtual machines with end-to-end encryption using encryption at host | Microsoft.Compute/virtualMachines/read |
| 50038 | Ensure that all disk snapshots are encrypted with Customer-managed key(CMK) | Microsoft.Compute/snapshots/read |
| 50039 | Ensure Enforce SSL connection is set to ENABLED for MySQL Database Server | Microsoft.DBforMySQL/servers/read |
| 50040 | Ensure Enforce SSL connection is set to ENABLED for PostgreSQL Database Server | Microsoft.DBforPostgreSQL/servers/read |
| 50041 | Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/configurations/read |
| 50042 | Ensure server parameter log_connections is set to ON for PostgreSQL Database Server | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/configurations/read |
| 50043 | Ensure server parameter log_disconnections is set to ON for PostgreSQL Database Server | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/configurations/read |
| 50044 | Ensure server parameter log_duration is set to ON for PostgreSQL Database Server | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/configurations/read |
| 50045 | Ensure server parameter log_retention_days is greater than 3 days for PostgreSQL Database Server | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/configurations/read |
| 50046 | Enable RBAC within Azure Kubernetes Services | Microsoft.ContainerService/managedClusters/read |
| 50047 | Ensure App Service Authentication is set up for apps in Azure App Service | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read Microsoft.Web/sites/config/list/Action |
| 50048 | Ensure Web app redirects all HTTP traffic to HTTPS | Microsoft.Web/sites/Read |
| 50049 | Ensure Web app has Client Certificates (Incoming client certificates) set to On | Microsoft.Web/sites/Read |
| 50050 | Ensure that Register with Entra ID is enabled on App Service | Microsoft.Web/sites/Read |
| 50051 | Ensure Web app is using the latest version of TLS encryption version | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50052 | Ensure default network access rule for Storage Accounts is set to deny | Microsoft.Storage/storageAccounts/read |
| 50053 | Ensure Allow Azure services on the trusted services list to access this storage account is Enabled for Storage Account Access | Microsoft.Storage/storageAccounts/read |
| 50054 | Ensure that logging for Azure KeyVault is Enabled | Microsoft.KeyVault/vaults/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.KeyVault/vaults/providers/Microsoft.Insights/diagnosticSettings/Read |
| 50055 | Ensure Network Security Group Flow Log retention is greater than 90 days | Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkWatchers/flowLogs/read |
| 50056 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Microsoft.Insights/LogProfiles/Read Microsoft.Storage/storageAccounts/read |
| 50057 | Ensure that Azure Container Registry not using deprecated classic registry | Microsoft.ContainerRegistry/registries/read |
| 50058 | Ensure that Detailed Error Logging is enabled in API Apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50059 | Ensure Activity Log Alert exists for Delete SQL server firewall rule | Microsoft.Insights/ActivityLogAlerts/Read |
| 50060 | Ensure that Azure Virtual Network subnet is configured with a Network Security Group | Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read |
| 50061 | Ensure that HTTP Version used for web app is latest | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50062 | Ensure Network Watcher is Enabled for your Subscription | Microsoft.Resources/subscriptions/locations/read Microsoft.Network/networkWatchers/read |
| 50063 | Ensure Activity Log Alert exists for Create Policy Assignment | Microsoft.Insights/ActivityLogAlerts/Read |
| 50064 | Ensure Activity Log Alert exists for Create or Update Network Security Group | Microsoft.Insights/ActivityLogAlerts/Read |
| 50065 | Ensure Activity Log Alert exists for Delete Network Security Group | Microsoft.Insights/ActivityLogAlerts/Read |
| 50066 | Ensure Activity Log Alert exists for Create or Update Network Security Group Rule | Microsoft.Insights/ActivityLogAlerts/Read |
| 50067 | Ensure Activity Log Alert exists for Delete Network Security Group Rule | Microsoft.Insights/ActivityLogAlerts/Read |
| 50068 | Ensure Activity Log Alert exists for Create or Update Security Solution | Microsoft.Insights/ActivityLogAlerts/Read |
| 50069 | Ensure Activity Log Alert exists for Delete Security Solution | Microsoft.Insights/ActivityLogAlerts/Read |
| 50070 | Ensure Activity Log Alert exists for Create or Update SQL Server Firewall Rule | Microsoft.Insights/ActivityLogAlerts/Read |
| 50071 | Ensure Activity Log Alert exists for Update Security Policy | Microsoft.Insights/ActivityLogAlerts/Read |
| 50072 | Ensure guest users are reviewed on a monthly basis | Permissions not found |
| 50073 | Ensure that no custom subscription Administrator Roles exist | Microsoft.Authorization/roleDefinitions/read |
| 50074 | Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/configurations/read |
| 50075 | Ensure that diagnostic settings for Azure KeyVault is set to ON | Microsoft.KeyVault/vaults/read, Microsoft.Insights/DiagnosticSettings/Read Microsoft.KeyVault/vaults/providers/Microsoft.Insights/diagnosticSettings/Read |
| 50076 | Ensure storage container storing activity logs is not publicly accessible | Microsoft.Insights/LogProfiles/Read Microsoft.Storage/storageAccounts/blobServices/containers/read |
| 50077 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Microsoft.Security/settings/read |
| 50078 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Microsoft.Security/settings/read |
| 50079 | Ensure that Microsoft Defender for Azure SQL Databases is set to On | Microsoft.Security/pricings/read |
| 50080 | Ensure that Microsoft Defender for App Services is set to On | Microsoft.Security/pricings/read |
| 50081 | Ensure that Microsoft Defender for Storage is set to On | Microsoft.Security/pricings/read |
| 50082 | Ensure any of the ASC Default policy setting is not set to Disabled | Microsoft.Authorization/policyAssignments/read Microsoft.Authorization/policyAssignments/read/SecurityCenterBuiltIn |
| 50083 | Ensure that Microsoft Defender for SQL is set to ON for critical SQL Servers | Microsoft.Sql/servers/read Microsoft.Sql/servers/vulnerabilityAssessments/read |
| 50084 | Ensure App Service Authentication is set on Function Apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read Microsoft.Web/sites/config/list/Action |
| 50085 | Ensure Function app redirects all HTTP traffic to HTTPS | Microsoft.Web/sites/Read |
| 50086 | Ensure Function app has Client Certificates (Incoming client certificates) set to On | Microsoft.Web/sites/Read |
| 50087 | Ensure that Register with Azure Active Directory is enabled on Function apps | Microsoft.Web/sites/Read |
| 50088 | Ensure Function app is using the latest version of TLS encryption version | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50089 | Ensure that HTTP Version used for Function app is latest | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50090 | Ensure that Azure AKS cluster monitoring is enabled | Microsoft.ContainerService/managedClusters/read |
| 50091 | Ensure that Azure AKS cluster HTTP application routing is disabled | Microsoft.ContainerService/managedClusters/read |
| 50092 | Ensure that Azure AKS cluster Azure CNI networking enabled | Microsoft.ContainerService/managedClusters/read |
| 50093 | Ensure that Azure Application Gateway have the Web application firewall (WAF) enabled | Microsoft.Network/applicationGateways/read |
| 50094 | Ensure that Azure Application Gateway allows TLSv1.2 or above | Microsoft.Network/applicationGateways/read |
| 50095 | Ensure that default Auditing policy for a SQL Database is configured to capture and retain the activity logs | Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/extendedAuditingSettings/read |
| 50096 | Ensure Storage Auto-Growth is enabled on PostgreSQL server | Microsoft.DBforPostgreSQL/servers/read |
| 50097 | Ensure that Request Tracing is enabled in API Apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50098 | Ensure that ssl_minimal_tls_version_enforced is set to 1.2 for SQL server | Microsoft.Sql/servers/read |
| 50099 | Ensure that Azure Cosmos DB accounts Firewalls and Networks is limited to use Selected Networks instead of All Networks | Microsoft.DocumentDB/databaseAccounts/read |
| 50100 | Ensure that Azure SQL Database have private endpoint connections enabled | Microsoft.Sql/servers/read |
| 50101 | Ensure that Logic Apps Integration Service Environments are encrypted with customer-managed keys | Microsoft.Logic/integrationServiceEnvironments/read |
| 50103 | Ensure that ssl_minimal_tls_version_enforced is set to 1.2 for Azure Database for MySQL server | Microsoft.DBforMySQL/servers/read |
| 50104 | Ensure no MySQL Server allow ingress from Internet (ANY IP) | Microsoft.DBforMySQL/servers/read Microsoft.DBforMySQL/servers/firewallRules/read |
| 50105 | Ensure that geo_redundant_backup_enabled is set to Enabled for Azure Database for MySQL server | Microsoft.DBforMySQL/servers/read |
| 50106 | Ensure that Public Network Access is Disabled for Azure Database for MySQL server | Microsoft.DBforMySQL/servers/read |
| 50107 | Ensure that Azure Database for MySQL server diagnostic setting is configured properly | Microsoft.DBforMySQL/servers/read Microsoft.DBforMySQL/servers/providers/Microsoft.Insights/diagnosticSettings/read |
| 50108 | Ensure SQL server has Auto-Failover group enabled | Microsoft.Sql/servers/read Microsoft.Sql/servers/failoverGroups/read |
| 50109 | Ensure Enforce SSL connection is set to ENABLED for Azure Database for MariaDB server | Microsoft.DBforMariaDB/servers/read |
| 50110 | Ensure that ssl_minimal_tls_version_enforced is set to 1.2 for Azure Database for MariaDB server | Microsoft.DBforMariaDB/servers/read |
| 50111 | Ensure no MariaDB Server allow ingress from Internet (ANY IP) | Microsoft.DBforMariaDB/servers/read Microsoft.DBforMariaDB/servers/firewallRules/read |
| 50112 | Ensure that geo_redundant_backup_enabled is set to Enabled for Azure Database for MariaDB server | Microsoft.DBforMariaDB/servers/read |
| 50113 | Ensure that Public Network Access is Disabled for Azure Database for MariaDB server | Microsoft.DBforMariaDB/servers/read |
| 50114 | Ensure that network access is restricted in Cognitive Services accounts | Microsoft.CognitiveServices/accounts/read |
| 50116 | Ensure that ssl_minimal_tls_version_enforced is set to 1.2 for Azure Database for PostgreSQL server | Microsoft.DBforPostgreSQL/servers/read |
| 50117 | Ensure Allow access to Azure services for PostgreSQL Database Server is disabled | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/firewallRules/read |
| 50118 | Ensure that geo_redundant_backup_enabled is set to Enabled for Azure Database for PostgreSQL server | Microsoft.DBforPostgreSQL/servers/read |
| 50119 | Ensure that Public Network Access is Disabled for Azure Database for PostgreSQL server | Microsoft.DBforPostgreSQL/servers/read |
| 50120 | Ensure that Azure Database for PostgreSQL server diagnostic setting is configured properly | Microsoft.DBforPostgreSQL/servers/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.DBforPostgreSQL/servers/providers/Microsoft.Insights/diagnosticSettings/read |
| 50121 | Ensure that Automatic-failover is set for Azure CosmosDB | Microsoft.DocumentDB/databaseAccounts/read |
| 50122 | Ensure that Diagnostic settings are set properly for Azure CosmosDB | Microsoft.DocumentDB/databaseAccounts/read Microsoft.DocumentDB/databaseAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
| 50123 | Ensure that resource lock is set on Azure CosmosDB | Microsoft.Authorization/locks/read |
| 50124 | Ensure that Azure CosmosDB does not allow access from all networks | Microsoft.DocumentDB/databaseAccounts/read |
| 50125 | Ensure Activity Log Alert exists for Create/Update Storage Account | Microsoft.Insights/ActivityLogAlerts/Read |
| 50126 | Ensure Activity Log Alert exists for Delete Storage Account | Microsoft.Insights/ActivityLogAlerts/Read |
| 50127 | Ensure Activity Log Alert exists for Create or Update Virtual Machine | Microsoft.Insights/ActivityLogAlerts/Read |
| 50128 | Ensure Activity Log Alert exists for Deallocate Virtual Machine | Microsoft.Insights/ActivityLogAlerts/Read |
| 50129 | Ensure Activity Log Alert exists for Delete Virtual Machine | Microsoft.Insights/ActivityLogAlerts/Read |
| 50130 | Ensure that the endpoint protection for all Virtual Machines is installed | Microsoft.Compute/virtualMachines/read |
| 50131 | Ensure that Azure Active Directory authentication is configured for MySql server | Microsoft.DBforMySQL/servers/read Microsoft.DBforMySQL/servers/administrators/read |
| 50132 | Ensure that Azure Active Directory authentication is configured for PostgreSql servers | Microsoft.DBforPostgreSQL/servers/read Microsoft.DBforPostgreSQL/servers/administrators/read |
| 50133 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/blobServices/read |
| 50134 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Microsoft.Storage/storageAccounts/read |
| 50135 | Ensure Activity Log Alert exists for Delete Policy Assignment | Microsoft.Insights/ActivityLogAlerts/Read |
| 50136 | Ensure FTP deployments are disabled for web apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50137 | Ensure that OS and Data disks are encrypted with Customer Managed Key | Microsoft.Compute/disks/read |
| 50138 | Ensure that UDP Services are restricted from the Internet | Microsoft.Network/networkSecurityGroups/read |
| 50139 | Ensure that Azure Defender is set to On for Kubernetes | Microsoft.Security/pricings/read |
| 50140 | [LEGACY] Ensure that Microsoft Defender is set to On for Container Registries | Microsoft.Security/pricings/read |
| 50141 | Ensure that Microsoft Defender for Key Vault is set to On | Microsoft.Security/pricings/read |
| 50142 | Ensure Diagnostic Setting captures appropriate categories | Microsoft.Insights/DiagnosticSettings/Read |
| 50143 | Ensure that CORS does not allow every resource to access the Function Apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read Actioninmignaturehaveconfig/web |
| 50144 | Ensure that CORS does not allow every resource to access the Web apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50145 | Ensure that Diagnostic logs is enabled in Web apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read microsoft.web/sites/config/appsettings/read |
| 50146 | Ensure that Function apps enforce FTPS-only access to FTP traffic | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read Actioninmignaturehaveconfig/web |
| 50147 | Ensure that Managed identity is used in Function apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read Actioninmignaturehaveconfig/web |
| 50148 | Ensure that Managed identity is used in Web apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50149 | Ensure that Remote debugging is turned off for Function apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read Actioninmignaturehaveconfig/web |
| 50150 | Ensure that Remote debugging is turned off for Web apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50151 | Ensure that routing of outbound non-RFC 1918 traffic to Azure Virtual Network is enabled in Function apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read microsoft.web/sites/config/appsettings/read |
| 50152 | Ensure that outbound non-RFC 1918 traffic to Azure Virtual Network is enabled in Web apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read microsoft.web/sites/config/appsettings/read |
| 50153 | Ensure that public network access is disabled in Redis Cache | Microsoft.Cache/redis/read |
| 50154 | Ensure that Redis Cache uses private link | Microsoft.Cache/redis/read |
| 50155 | Ensure that only secure connections to Redis Cache is enabled | Microsoft.Cache/redis/read |
| 50156 | Ensure that public network access is disabled in Managed Disks | Microsoft.Compute/disks/read |
| 50157 | Ensure that Disk Access resources are configured with private endpoints | Microsoft.Compute/diskAccesses/read |
| 50158 | Ensure that all Authorization Rules except RootManageSharedAccessKey are removed from Event Hub Namespaces | Microsoft.EventHub/namespaces/read Microsoft.EventHub/namespaces/authorizationRules/read |
| 50159 | Ensure that Authorization rules are defined in Event Hub instances | Microsoft.EventHub/namespaces/read Microsoft.EventHub/namespaces/eventhubs/read Microsoft.EventHub/namespaces/eventhubs/authorizationRules/read |
| 50160 | Ensure that Event Hub Namespaces use Customer-Managed Key for encryption | Microsoft.EventHub/namespaces/read |
| 50161 | Ensure that Event Hub Namespaces use private links | Microsoft.EventHub/namespaces/read |
| 50162 | Ensure that Resource Logs are enabled in Event Hub Namespaces | Microsoft.EventHub/namespaces/read Microsoft.EventHub/namespaces/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.Insights/DiagnosticSettings/Read |
| 50163 | Ensure that all Authorization Rules except RootManageSharedAccessKey are removed from Service Bus Namespaces | Microsoft.ServiceBus/namespaces/read Microsoft.ServiceBus/namespaces/authorizationRules/read |
| 50164 | Ensure that Service Bus Namespaces use private links | Microsoft.ServiceBus/namespaces/read |
| 50165 | Ensure that Resource Logs are enabled in Service Bus Namespaces | Microsoft.ServiceBus/namespaces/read Microsoft.ServiceBus/namespaces/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.Insights/DiagnosticSettings/Read |
| 50166 | Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys | Microsoft.Compute/virtualMachines/read |
| 50167 | Ensure that Azure Container Instance container groups use customer-managed key for encryption | Microsoft.ContainerInstance/containerGroups/read |
| 50168 | Ensure that Advanced Threat Protection is enabled for all Microsoft Azure Cosmos DB accounts | Microsoft.DocumentDB/databaseAccounts/read Microsoft.Security/advancedThreatProtectionSettings/read |
| 50169 | Ensure that Advanced Threat Protection is enabled on Storage Accounts | Microsoft.Storage/storageAccounts/read Microsoft.Security/advancedThreatProtectionSettings/read |
| 50170 | Ensure that Azure File Sync uses private link | Microsoft.StorageSync/storageSyncServices/read |
| 50171 | Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol | Microsoft.Cache/redis/read |
| 50172 | Ensure that Microsoft Defender for Open-Source Relational Databases is set to On | Microsoft.Resources/resources/read Microsoft.KeyVault/vaults/read |
| 50173 | Ensure that Geo-redundant storage is enabled for Storage Accounts | Microsoft.Storage/storageAccounts/read |
| 50174 | Ensure that Public network access is disabled for Azure File Sync | Microsoft.StorageSync/storageSyncServices/read |
| 50175 | Ensure that Storage Accounts have infrastructure encryption enabled | Microsoft.Storage/storageAccounts/read |
| 50176 | Ensure that Azure Key Vaults use Private Links | Microsoft.Resources/resources/read Microsoft.KeyVault/vaults/read |
| 50177 | Ensure that encryption with customer-managed key is enabled in PostgreSQL servers | Microsoft.DBforPostgreSQL/servers/read |
| 50178 | Ensure that public network access is disabled on Azure SQL databases | Microsoft.Sql/servers/read |
| 50179 | Ensure that public network access is disabled for MySQL flexible servers | Microsoft.DBforMySQL/flexibleServers/read |
| 50180 | Ensure that public network access is disabled for PostgreSQL flexible servers | Microsoft.DBforPostgreSQL/flexibleServers/read |
| 50181 | Ensure Storage Accounts are using the latest version of TLS encryption | Microsoft.Storage/storageAccounts/read |
| 50182 | Ensure that monitoring of DDoS protection at the Azure virtual network level is enabled | Microsoft.Authorization/policyAssignments/read |
| 50183 | Ensure that monitoring of deprecated accounts within your Azure subscription(s) is enabled | Microsoft.Authorization/policyAssignments/read |
| 50184 | Ensure that IP forwarding enablement on your Azure virtual machines (VMs) is being monitored | Microsoft.Authorization/policyAssignments/read |
| 50185 | Ensure that the external accounts with write permissions are monitored using Azure Security Center | Microsoft.Authorization/policyAssignments/read |
| 50186 | Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/blobServices/containers/read |
| 50187 | Ensure that Diagnostic Settings for Storage Accounts are configured with Log Analytics workspace | Microsoft.Storage/storageAccounts/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.Storage/storageAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
| 50188 | Ensure that Diagnostic Settings for Storage Blobs are configured with Log Analytics workspace | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/blobServices/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.Storage/storageAccounts/blobServices/providers/Microsoft.Insights/diagnosticSettings/read |
| 50189 | Ensure that Diagnostic Settings for Storage Files are configured with Log Analytics workspace | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/fileServices/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.Storage/storageAccounts/fileServices/providers/Microsoft.Insights/diagnosticSettings/read |
| 50190 | Ensure that Diagnostic Settings for Storage Queues are configured with Log Analytics workspace | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/queueServices/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.Storage/storageAccounts/queueServices/providers/Microsoft.Insights/diagnosticSettings/read |
| 50191 | Ensure that Diagnostic Settings for Storage Tables are configured with Log Analytics workspace | Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/tableServices/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.Storage/storageAccounts/tableServices/providers/Microsoft.Insights/diagnosticSettings/read |
| 50192 | Ensure that Azure Kubernetes Service Private Clusters is enabled | Microsoft.ContainerService/managedClusters/read |
| 50193 | Ensure that Azure Policy Add-on for Kubernetes service (AKS) is installed and enabled on your clusters | Microsoft.ContainerService/managedClusters/read |
| 50194 | Ensure that Azure Event Grid topics use private links | Microsoft.EventGrid/topics/read |
| 50195 | Ensure that Azure Cache for Redis resides within virtual network | Microsoft.Cache/redis/read |
| 50196 | Ensure that Diagnostic logs are enabled in Virtual Machine Scale Sets | Microsoft.Compute/virtualMachineScaleSets/read |
| 50197 | [LEGACY] Ensure that Microsoft Defender for DNS is set to On | Microsoft.Security/pricings/read |
| 50198 | Ensure that Storage Accounts use private link connections | Microsoft.Storage/storageAccounts/read |
| 50199 | Ensure that Container Registries are configured to disable public network access | Microsoft.ContainerRegistry/registries/read |
| 50200 | Ensure that Container Registries are configured with private endpoints | Microsoft.ContainerRegistry/registries/read |
| 50201 | Ensure that Container Registries are encrypted with a customer-managed key | Microsoft.ContainerRegistry/registries/read |
| 50202 | Ensure that FTPS is enforced in API Apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50203 | Ensure that Managed Identity is used in API Apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50204 | Ensure that API Apps are only accessible over HTTPS | Microsoft.Web/sites/Read |
| 50205 | Ensure that API Apps have Incoming Client Certificates is set to On | Microsoft.Web/sites/Read |
| 50206 | Ensure that HTTP Logging is enabled in API Apps | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50208 | Ensure that Kubernetes Services Management API server is configured with restricted access | Microsoft.ContainerService/managedClusters/read |
| 50210 | Ensure that Kube Dashboard is disabled | Microsoft.ContainerService/managedClusters/read |
| 50215 | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Microsoft.Storage/storageAccounts/queueServices/read Microsoft.Storage/storageAccounts/read |
| 50217 | Ensure that audit profile captures all the activities | Microsoft.Insights/LogProfiles/Read |
| 50218 | Ensure that the expiry date is set on all keys from RBAC key Vault | Microsoft.Resources/resources/read Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/keys/versions/read |
| 50221 | Ensure consistency level is not set to Eventual for Azure CosmosDB account | Microsoft.DocumentDB/databaseAccounts/read |
| 50224 | Ensure that managed virtual network is enabled in Azure Synapse workspaces | Microsoft.Synapse/workspaces/read |
| 50225 | Ensure that Storage accounts disallow Blob public access | Microsoft.Storage/storageAccounts/read |
| 50226 | Ensure that Microsoft Defender for Resource Manager is set to On | Microsoft.Security/pricings/read |
| 50227 | Ensure that Automation account variables are encrypted | Microsoft.Automation/automationAccounts/read Microsoft.Automation/automationAccounts/variables/read |
| 50228 | Ensure that Azure Data Explorer uses disk encryption | Microsoft.Kusto/Clusters/read |
| 50229 | Ensure that Azure Data Explorer uses double encryption | Microsoft.Kusto/Clusters/read |
| 50230 | Ensure that Azure Batch account uses key vault to encrypt data | Microsoft.Batch/batchAccounts/read |
| 50231 | Ensure that Microsoft Defender for SQL Servers on Machines is set to On | Microsoft.Security/pricings/read |
| 50233 | Ensure that PHP version is the latest, if used to run the web app | Microsoft.Web/sites/Read |
| 50234 | Ensure that Python version is the latest, if used to run the web app | Microsoft.Web/sites/Read |
| 50235 | Ensure that Java version is the latest, if used to run the web app | Microsoft.Web/sites/Read |
| 50236 | Ensure that Web Apps use Azure Files | Microsoft.Web/sites/Read Microsoft.Web/sites/config/Read microsoft.web/sites/config/web/appsettings/read |
| 50237 | Ensure that Auditing Retention is greater than 90 days for Azure MSSQL Server | Microsoft.Sql/servers/read Microsoft.Sql/servers/auditingSettings/read |
| 50239 | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Microsoft.Compute/virtualMachineScaleSets/read |
| 50240 | Ensure Infrastructure double encryption for PostgreSQL Database Server is Enabled | Microsoft.DBforPostgreSQL/servers/read |
| 50241 | Ensure that Virtual Machine Scale Sets have encryption at host enabled | Microsoft.Compute/virtualMachineScaleSets/read |
| 50242 | Ensure that Azure Container Instance container groups are deployed in a virtual network | Microsoft.ContainerInstance/containerGroups/read |
| 50243 | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Microsoft.DocumentDB/databaseAccounts/read |
| 50244 | Ensure that Azure Data Factory uses Git repository for source control | Microsoft.DataFactory/factories/read |
| 50245 | Ensure that public network access is disabled in Azure Data Factory | Microsoft.DataFactory/factories/read |
| 50246 | Ensure that encryption is enabled for Data Lake Store accounts | Microsoft.DataLakeStore/accounts/read |
| 50248 | Ensure that API Management services use virtual networks | Microsoft.ApiManagement/service/read |
| 50249 | Ensure that public network access is disabled for Azure IoT Hub | Microsoft.Devices/iotHubs/Read |
| 50250 | Ensure that Firewall is enabled on Key Vaults | Microsoft.Resources/resources/read Microsoft.KeyVault/vaults/read |
| 50251 | Ensure that Key Vault keys are backed by HSM | Microsoft.Resources/resources/read Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/keys/versions/read |
| 50252 | Ensure that Azure Event Grid domains should have local authentication methods disabled | Microsoft.EventGrid/domains/read |
| 50253 | Ensure that Key Vault Secrets have Content-Type set | Microsoft.Resources/resources/read Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/secrets/read |
| 50254 | Ensure that Azure Kubernetes Service uses disk encryption set | Microsoft.ContainerService/managedClusters/read |
| 50255 | Ensure that IP forwarding is disabled for Network Interfaces | Microsoft.Network/networkInterfaces/read |
| 50256 | Ensure that Network Interfaces dont use public IPs | Microsoft.Network/networkInterfaces/read |
| 50257 | Ensure that Web Application Firewall (WAF) is enabled in Azure Front Door Services | Microsoft.Cdn/profiles/read Microsoft.Cdn/profiles/securitypolicies/read |
| 50260 | Ensure that public network access is disabled for Cognitive Services accounts | Microsoft.CognitiveServices/accounts/read |
| 50261 | Ensure that Service Fabric cluster has the ClusterProtectionLevel property set to EncryptAndSign | Microsoft.ServiceFabric/clusters/read |
| 50262 | Ensure that Service Fabric cluster uses Azure Active Directory for authentication | Microsoft.ServiceFabric/clusters/read |
| 50263 | Ensure that MySQL server has infrastructure encryption enabled | Microsoft.DBforMySQL/servers/read |
| 50265 | Ensure that encryption at rest uses customer-managed key in Azure Data Explorer | Microsoft.Kusto/Clusters/read |
| 50267 | Ensure that Azure Data Factory is encrypted with a customer-managed key | Microsoft.DataFactory/factories/read |
| 50268 | Ensure that encryption with customer-managed key is enabled in MySQL Servers | Microsoft.DBforMySQL/servers/read Microsoft.DBforMySQL/servers/keys/read |
| 50273 | Ensure that Azure Event Grid topics should have local authentication methods disabled | Microsoft.EventGrid/topics/read |
| 50274 | Ensure that Diagnostic logs are enabled in Data Lake Analytics accounts | Microsoft.DataLakeAnalytics/accounts/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.DataLakeAnalytics/accounts/providers/Microsoft.Insights/diagnosticSettings/read |
| 50275 | Ensure that Diagnostic logs are enabled in Azure Data Lake Storage accounts | Microsoft.DataLakeStore/accounts/read Microsoft.DataLakeStore/accounts/providers/Microsoft.Insights/diagnosticSettings/read |
| 50276 | Ensure that Diagnostic logs are enabled in Search Services | Microsoft.Search/searchServices/read Microsoft.Search/searchServices/diagnosticSettings/read |
| 50277 | Ensure that Diagnostic logs are enabled in Logic Apps | Microsoft.Resources/resources/read Microsoft.Logic/workflows/read Microsoft.Insights/DiagnosticSettings/Read Microsoft.Logic/workflows/providers/Microsoft.Insights/diagnosticSettings/read |
| 50278 | Ensure that Container Registry disallows unrestricted network access | Microsoft.ContainerRegistry/registries/read |
| 50279 | Ensure that Azure Kubernetes Service (AKS) cluster has Network Policy configured | Microsoft.ContainerService/managedClusters/read |
| 50280 | Ensure that public network access is disabled for IoT Hub Device Provisioning Service instances | Microsoft.Devices/provisioningServices/Read |
| 50281 | Ensure that IoT Hub Device Provisioning Service instances use private links | Microsoft.Devices/provisioningServices/Read |
| 50282 | Ensure that Resource logs are enabled in IoT Hub | Microsoft.Devices/iotHubs/Read Microsoft.Devices/IotHubs/diagnosticSettings/read Microsoft.Insights/DiagnosticSettings/Read |
| 50283 | Ensure that Azure Data Factory Integration Runtimes have a limit for the number of cores | Microsoft.DataFactory/factories/read Microsoft.DataFactory/factories/integrationruntimes/read |
| 50284 | Ensure that Azure Data Factory uses private link | Microsoft.DataFactory/factories/read Microsoft.DataFactory/factories/privateEndpointConnections/read |
| 50285 | Ensure that SQL Server Integration Services Integration Runtimes on Azure Data Factory are joined to a virtual network | Microsoft.DataFactory/factories/read Microsoft.DataFactory/factories/integrationruntimes/read |
| 50286 | Ensure that Virtual network injection is enabled for Azure Data Explorer | Microsoft.Kusto/Clusters/read |
| 50287 | Ensure that public network access is disabled for Automation accounts | Microsoft.Automation/automationAccounts/read |
| 50288 | Ensure that Automation account uses customer-managed keys to encrypt data at rest | Microsoft.Automation/automationAccounts/read |
| 50289 | Ensure that Automation account has private endpoint connections enabled | Microsoft.Automation/automationAccounts/read |
| 50290 | Ensure that Azure Batch pools have disk encryption enabled | Microsoft.Batch/batchAccounts/read Microsoft.Batch/batchAccounts/pools/read |
| 50291 | Ensure that Azure Batch accounts have local authentication methods disabled | Microsoft.Batch/batchAccounts/read |
| 50292 | Ensure that Metric alert rules are configured on Batch accounts | Microsoft.Batch/batchAccounts/read Microsoft.Insights/MetricAlerts/Read |
| 50293 | Ensure that Batch accounts have private endpoint connections enabled | Microsoft.Batch/batchAccounts/read |
| 50294 | Ensure that public network access is disabled for Batch accounts | Microsoft.Batch/batchAccounts/read |
| 50295 | Ensure that Resource logs are enabled in Batch accounts | Microsoft.Batch/batchAccounts/read Microsoft.Insights/diagnosticSettings/read Microsoft.Batch/batchAccounts/providers/Microsoft.Insights/diagnosticSettings/read |
| 50296 | Ensure that Cognitive Services enable data encryption with customer-managed keys | Microsoft.CognitiveServices/accounts/read |
| 50297 | Ensure that Cognitive Services have local authentication methods disabled | Microsoft.CognitiveServices/accounts/read |
| 50298 | Ensure that Managed identity is used in Cognitive Services | Microsoft.CognitiveServices/accounts/read |
| 50299 | Ensure that Cognitive Services use private links | Microsoft.CognitiveServices/accounts/read |
| 50300 | Ensure that Azure Event Grid domains are configured to disable public network access | Microsoft.EventGrid/domains/read |
| 50301 | Ensure that public network access is disabled in Azure Event Grid topics | Microsoft.EventGrid/topics/read |
| 50302 | Ensure that Azure Event Grid domains use private links | Microsoft.EventGrid/domains/read |
| 50303 | Ensure that API Management Services use latest protocol for Client Side Security | Microsoft.ApiManagement/service/read |
| 50304 | Ensure that API Management Services use latest protocol for Backend Side Transport Security | Microsoft.ApiManagement/service/read |
| 50305 | Ensure that API Management services use a SKU that supports virtual networks | Microsoft.ApiManagement/service/read |
| 50306 | Ensure that Cipher Triple DES (3DES) is enabled for API Management resource | Microsoft.ApiManagement/service/read |
| 50307 | Ensure that HTTP/2 client side protocol is enabled for API Management resource | Microsoft.ApiManagement/service/read |
| 50308 | Ensure that System assigned Managed Identity is enabled for API Management Service | Microsoft.ApiManagement/service/read |
| 50309 | Ensure that Logic Apps are deployed into Integration Service Environment | Microsoft.Logic/workflows/read |
| 50313 | Ensure that Azure Storage Accounts are configured with private endpoints | Microsoft.Sql/servers/read; Microsoft.Sql/servers/vulnerabilityAssessments/read |
| 50314 | Ensure Trusted Launch is enabled on Virtual Machines | Microsoft.Sql/servers/read; Microsoft.Sql/servers/vulnerabilityAssessments/read |
| 50321 | Ensure that Azure Event Grid partner namespaces should have local authentication methods disabled | Microsoft.EventGrid/partnerNamespaces/read |
| 50323 | Ensure that Azure Event Hub namespaces should have local authentication methods disabled | Microsoft.EventHub/namespaces/read |
| 50324 | Ensure that Front Door WAF prevents message lookup in Log4j2 | Microsoft.Network/frontDoorWebApplicationFirewallPolicies/read |
| 50325 | Ensure that Application Gateway WAF prevents message lookup in Log4j2 | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read |
| 50327 | Ensure that SKU of the load balancer is not Basic | Microsoft.Network/loadBalancers/read |
| 50328 | Ensure that Application Insights retention Period is 90 days or more | Microsoft.Insights/Components/Read |
| 50329 | Ensure that Application Insights components block log ingestion and querying from public networks | Microsoft.Insights/Components/Read |
| 50330 | Ensure that protocol used by CDN profile endpoints is HTTPS | Microsoft.Cdn/profiles/read; Microsoft.Cdn/profiles/endpoints/read |
| 50331 | Ensure azure spring cloud service apps have end to end TLS enabled | Microsoft.AppPlatform/Spring/read; Microsoft.AppPlatform/Spring/apps/read |
| 50332 | Ensure that azure spring cloud service apps have HTTPS enabled | Microsoft.AppPlatform/Spring/read; Microsoft.AppPlatform/Spring/apps/read |
| 50333 | Ensure that Application Insights are enabled for azure spring cloud service | Microsoft.AppPlatform/Spring/read; Microsoft.AppPlatform/spring/monitoringSettings/read |
| 50334 | Ensure that Diagnostic settings is enabled for azure spring cloud resource service | Microsoft.AppPlatform/Spring/read; Microsoft.AppPlatform/spring/providers/microsoft.insights/diagnosticSettings/read; Microsoft.Insights/diagnosticSettings/read |
| 50335 | Ensure TLS Version is set to TLSV1.2 for MySQL flexible Database Server | Microsoft.DBforMySQL/flexibleServers/read; Microsoft.DBforMySQL/flexibleServers/configurations/read |
| 50336 | Ensure that Storage Account Access Keys are Periodically Regenerated | Microsoft.Storage/storageAccounts/read |
| 50337 | Ensure access to Azure SQL Servers is restricted within Azure Infrastructure via Azure SQL Firewall Rule | Microsoft.Sql/servers/read; Microsoft.Sql/servers/firewallRules/read |
| 50338 | Ensure public accessibility is not enabled for Azure MSSQL Server | Microsoft.Sql/servers/read |
| 50339 | Ensure that App Services web applications have always-on feature enabled | Microsoft.Web/sites/Read; Microsoft.Web/sites/config/Read; microsoft.web/sites/config/web/appsettings/read |
| 50340 | Ensure zone resiliency is turned on for Azure Image | Microsoft.Compute/images/read |
| 50341 | Ensure web sockets are disabled for Azure App Service | Microsoft.Web/sites/Read; Microsoft.Web/sites/config/Read; microsoft.web/sites/config/web/appsettings/read |
| 50342 | Ensure read-only cache is enabled on OS disks with read heavy operations to get higher read IOPS for Azure Image | Microsoft.Compute/images/read |
| 50343 | Ensure that Auditing is Enabled for Azure SQL Server | Microsoft.Sql/servers/read; Microsoft.Sql/servers/auditingSettings/read |
| 50344 | Ensure that IP restriction rules are configured for Azure App Service | Microsoft.Web/sites/Read; Microsoft.Web/sites/config/Read; microsoft.web/sites/config/web/appsettings/read |
| 50345 | Ensure data exfiltration protection is enabled for Azure Synapse Workspace | Microsoft.Synapse/workspaces/read |
| 50346 | Ensure Hyper-V generation uses v2 for Azure Image | Microsoft.Compute/images/read |
| 50347 | Ensure firewall rules reject internet access for Azure Redis Cache | Microsoft.Cache/redis/read; Microsoft.Cache/redis/firewallRules/read |
| 50348 | Ensure that public network access is disabled for Azure Synapse Workspace | Microsoft.Synapse/workspaces/read |
| 50349 | Ensure missing service endpoints are disabled for Azure PostgreSQL Virtual Network Rule | Microsoft.DBforPostgreSQL/servers/read; Microsoft.DBforPostgreSQL/servers/virtualNetworkRules/read |
| 50350 | Ensure tags are associated with Azure CosmosDB account | Microsoft.DocumentDB/databaseAccounts/read |
| 50351 | Ensure age in days after create to delete blob snapshot is more than 90 in Azure Storage Management Policy | Microsoft.Storage/storageAccounts/read; Microsoft.Storage/storageAccounts/managementPolicies/read |
| 50352 | Ensure overprovisioning is disabled for Azure Linux Virtual Machine Scale Set | Microsoft.Compute/virtualMachineScaleSets/read |
| 50353 | Ensure that Azure Event Hub namespaces should have double encryption enabled | Microsoft.EventHub/namespaces/read |
| 50354 | Ensure user ids are system managed for Azure Container Group | Microsoft.ContainerInstance/containerGroups/read |
| 50355 | Ensure that VPN Encryption is enabled for Azure Virtual WAN | Microsoft.Network/virtualWans/read |
| 50356 | Ensure use of NSG with Azure Virtual Machine Scale Set | Microsoft.Compute/virtualMachineScaleSets/read |
| 50357 | Ensure flow logging is enabled for Azure Network Watcher via Azure Network Watcher Flow Log | Microsoft.Network/networkWatchers/read; Microsoft.Network/networkWatchers/flowLogs/read |
| 50358 | Ensure that admin user is disabled for Azure Container Registry | Microsoft.ContainerRegistry/registries/read |
| 50359 | Ensure queries over the public internet are not supported for Azure Log Analytics Workspace | Microsoft.OperationalInsights/workspaces/read |
| 50360 | Ensure that Microsoft Defender for Azure Cosmos DB is set to On | Microsoft.Security/pricings/read |
| 50361 | Ensure overprovisioning is disabled for Azure Windows Virtual Machine Scale Set | Microsoft.Compute/virtualMachineScaleSets/read |
| 50362 | Ensure log analytics workspace has daily quota value set for Azure Log Analytics Workspace | Microsoft.OperationalInsights/workspaces/read |
| 50363 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | Microsoft.Network/networkWatchers/read; Microsoft.Network/networkWatchers/flowLogs/read |
| 50364 | Ensure that Azure HDInsight clusters should be injected into a virtual network | Microsoft.HDInsight/clusters/read |
| 50365 | Ensure end-to-end TLS is enabled to encrypt and securely transmit sensitive data to the backend for Azure Application Gateway | Microsoft.Network/applicationGateways/read |
| 50366 | Ensure HTTP is disallowed for Azure CDN Endpoint | Microsoft.Cdn/profiles/read; Microsoft.Cdn/profiles/endpoints/read |
| 50367 | Ensure auto inflate is enabled for Azure Eventhub Namespace | Microsoft.EventHub/namespaces/read |
| 50368 | Ensure data backup is enabled using blob container uri for Azure Analysis Services Servers | Microsoft.AnalysisServices/servers/read |
| 50369 | Ensure compression is enabled for Azure CDN Endpoint | Microsoft.Cdn/profiles/read; Microsoft.Cdn/profiles/endpoints/read |
| 50370 | Ensure Power BI analysis services are defined for Azure Analysis Services Server | Microsoft.AnalysisServices/servers/read |
| 50371 | Ensure that Azure HDInsight clusters should use customer-managed keys to encrypt data at rest | Microsoft.HDInsight/clusters/read |
| 50372 | Ensure that a resource locking administrator role is available for each Azure subscription | Microsoft.Authorization/roleDefinitions |
| 50373 | Ensure that an activity log alert is created for Create or Update Load Balancer events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50374 | Ensure that an activity log alert is created for Create or Update Azure SQL Database events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50375 | Ensure that an activity log alert is created for Delete Azure SQL Database events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50376 | Ensure there is an activity log alert created for the Delete Key Vault events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50377 | Ensure there is an Azure activity log alert created for Delete Load Balancer events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50378 | Ensure that an activity log alert exists for Power Off Virtual Machine events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50379 | Ensure that an activity log alert is created for Rename Azure SQL Database events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50380 | Ensure that an activity log alert is created for Update Key Vault (Microsoft.KeyVault/vaults) events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50381 | Ensure that an activity log alert is created for Create/Update MySQL Database events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50382 | Ensure that an activity log alert is created for Create/Update PostgreSQL Database events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50383 | Ensure that an activity log alert is created for Delete MySQL Database events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50384 | Ensure that an activity log alert is created for Delete PostgreSQL Database events | Microsoft.Insights/ActivityLogAlerts/Read |
| 50385 | Ensure there is a sufficient backup retention period configured for Azure API App Services applications | Microsoft.Web/sites/Read; Microsoft.Web/sites/config/Read; microsoft.web/sites/backup/read; Microsoft.Web/sites/backups/Read |
| 50386 | Ensure there is a sufficient backup retention period configured for Azure Web App Services applications | Microsoft.Web/sites/Read; Microsoft.Web/sites/config/Read; microsoft.web/sites/backup/read; Microsoft.Web/sites/backups/Read |
| 50387 | Ensure that all your Azure API App Services applications are using the Backup and Restore feature | Microsoft.Web/sites/Read; Microsoft.Web/sites/config/Read; microsoft.web/sites/backup/read; Microsoft.Web/sites/backups/Read |
| 50388 | Ensure that all your Azure App Services applications are using the Backup and Restore feature in Web App | Microsoft.Web/sites/Read; Microsoft.Web/sites/config/Read; microsoft.web/sites/backup/read; Microsoft.Web/sites/backups/Read |
| 50389 | Ensure that Azure virtual machine scale sets are configured for zone redundancy | Microsoft.Compute/virtualMachineScaleSets/read |
| 50390 | Ensure that Azure Log Profile is configured to export all control and management activities | Microsoft.Insights/LogProfiles/Read |
| 50391 | Ensure that Azure Search Service instances are configured to use system-assigned managed identities | Microsoft.Search/searchServices/read |
| 50392 | Ensure that Azure Blob Storage service has a lifecycle management policy configured | Microsoft.Storage/storageAccounts/read; Microsoft.Storage/storageAccounts/managementPolicies/read |
| 50393 | Ensure that Azure Storage account access is limited only to specific IP address(es) | Microsoft.Storage/storageAccounts/read |
| 50394 | Ensure there are budget alerts configured to warn about forthcoming budget overages within your Azure cloud account | Microsoft.Consumption/budgets/read |
| 50395 | Ensure that Azure HDInsight clusters should use encryption at host to encrypt data at rest | Microsoft.HDInsight/clusters/read |
| 50396 | Ensure that Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes | Microsoft.HDInsight/clusters/read |
| 50397 | Ensure that Azure HDInsight clusters are configured with private endpoints | Microsoft.HDInsight/clusters/read |
| 50398 | Ensure that CORS does not allow every domain to access your FHIR Service | Microsoft.HealthcareApis/workspaces/read; Microsoft.HealthcareApis/workspaces/fhirservices/read |
| 50436 | Ensure that Activity Log Alert exists for Delete Public IP Address Rule | Microsoft.Insights/ActivityLogAlerts/Read |
| 50437 | Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | Microsoft.Insights/ActivityLogAlerts/Read |
| 50438 | Ensure Virtual Machines are utilizing Managed Disks | Microsoft.Compute/virtualMachines/read |
| 50439 | Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Microsoft.KeyVault/vaults/secrets/read Microsoft.KeyVault/vaults/read |
| 50440 | Ensure that private endpoints are configured for Cosmos DB | Microsoft.DocumentDB/databaseAccounts/read |
| 50441 | Enable Role Based Access Control for Azure Key Vault | Microsoft.Resources/resources/read Microsoft.KeyVault/vaults/read |
| 50442 | Ensure that the expiry date is set on all keys from Non RBAC Key Vault | Microsoft.KeyVault/vaults/keys/read |
| 50443 | Ensure that Enable key rotation reminders is enabled for each Storage Account | Microsoft.Storage/storageAccounts/read |
| 50444 | Ensure that logging for Azure Web AppService AppServiceHTTPLogs is enabled | Microsoft.Web/sites/Read microsoft.web/sites/providers/Microsoft.Insights/diagnosticSettings/read |
| 50445 | Ensure server parameter audit_log_enabled is set to ON for MySQL Database Server | Microsoft.DBforMySQL/servers/read Microsoft.DBforMySQL/servers/configurations/read |
| 50446 | Ensure server parameter audit_log_events has CONNECTION set for MySQL Database Server | Microsoft.DBforMySQL/servers/read Microsoft.DBforMySQL/servers/configurations/read |
| 50447 | Ensure server parameter audit_log_enabled is set to ON for MySQL Flexible Database Server | Microsoft.DBforMySQL/flexibleServers/configurations/read |
| 50448 | Ensure server parameter audit_log_events has CONNECTION set for MySQL flexible Database Server | Microsoft.DBforMySQL/flexibleServers/configurations/read |
| 50449 | Ensure that logging for Azure Api AppService AppServiceHTTPLogs is enabled | Microsoft.Web/sites/Read microsoft.web/sites/providers/Microsoft.Insights/diagnosticSettings/read |
| 50450 | Ensure Application insights are configured | Microsoft.Insights/Components/Read |
| 50451 | Ensure an Azure Bastion Host Exists | Microsoft.Network/bastionHosts/read |
| 50452 | Ensure Public IP Addresses are not using Basic SKU | Microsoft.Network/publicIPAddresses/read |
| 50453 | Ensure that SKU Basic/Consumption is not used by SQL PaaS Databases | Microsoft.Sql/servers/databases/read |
| 50454 | Ensure that SKU Basic/Consumption is not used by Redis Cache | Microsoft.Cache/redis/read |
| 50455 | Ensure Storage logging is enabled for Blob service for read, write and delete requests | Microsoft.Storage/storageAccounts/blobServices/read |
| 50456 | Ensure Storage logging is enabled for Table service for read, write and delete requests | Microsoft.Storage/storageAccounts/tableServices/read |
| 50457 | Ensure that Linux and Windows Disk encryption should be applied on virtual machines is set to On | Microsoft.Authorization/policyAssignments/read |
| 50458 | Ensure that cross-tenant replication is set to disabled | Microsoft.Storage/storageAccounts/read |
| 50459 | Ensure that Azure Application Gateway have Web application firewall (WAF) V2 enabled which has policy attached | Microsoft.Network/applicationGateways/read |
| 50460 | Ensure that Microsoft Defender is set to On for Containers | Microsoft.Security/pricings/read |
| 50461 | Ensure that Public Network Access is Disabled for storage accounts | Microsoft.Storage/storageAccounts/read |
| 50462 | Ensure that Allow Blob Anonymous Access is set to Disabled | Microsoft.Storage/storageAccounts/read |
| 50470 | Ensure that Private Endpoints are Used for Azure Key Vault | Microsoft.KeyVault/vaults/read |
| 50471 | Ensure Private Endpoints are used to access Storage Accounts | Microsoft.Storage/storageAccounts/read |