Skip to content

Azure.GA_2023_12#

v1.32.0

Warning

This baseline is obsolete. Consider switching to a newer baseline.

Include rules released December 2023 or prior for Azure GA features.

Rules#

The following rules are included within the Azure.GA_2023_12 baseline.

This baseline includes a total of 384 rules.

Name Synopsis Severity
Azure.ACR.AdminUser The local admin account allows depersonalized access to a container registry using a shared secret. Critical
Azure.ACR.ContainerScan Container images or their base images may have vulnerabilities discovered after they are built. Critical
Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. Important
Azure.ACR.Firewall Container Registry without restrictions can be accessed from any network location including the Internet. Important
Azure.ACR.GeoReplica Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start. Important
Azure.ACR.ImageHealth Remove container images with known vulnerabilities. Critical
Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. Important
Azure.ACR.Name Container registry names should meet naming requirements. Awareness
Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. Important
Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. Important
Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. Important
Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. Important
Azure.ADX.Usage Regularly remove unused resources to reduce costs. Important
Azure.AI.DisableLocalAuth Access keys allow depersonalized access to Azure AI using a shared secret. Important
Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. Important
Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. Important
Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Important
Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. Important
Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. Important
Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. Important
Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Important
Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. Important
Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. Important
Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Important
Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. Important
Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. Important
Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. Awareness
Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Important
Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. Important
Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. Important
Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. Important
Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. Important
Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. Important
Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. Awareness
Azure.AKS.NetworkPolicy AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. Important
Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. Important
Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Important
Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. Important
Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. Important
Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. Important
Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. Important
Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. Important
Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. Important
Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. Important
Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. Important
Azure.APIM.APIDescriptors APIs should have a display name and description. Awareness
Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. Important
Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. Critical
Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. Important
Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. Critical
Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. Important
Azure.APIM.HTTPBackend Unencrypted communication could allow disclosure of information to an untrusted party. Critical
Azure.APIM.HTTPEndpoint Unencrypted communication could allow disclosure of information to an untrusted party. Important
Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. Important
Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. Important
Azure.APIM.Name API Management service names should meet naming requirements. Awareness
Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. Important
Azure.APIM.ProductApproval Configure products to require approval. Important
Azure.APIM.ProductDescriptors API Management products should have a display name and description. Awareness
Azure.APIM.ProductSubscription Configure products to require a subscription. Important
Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. Important
Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. Critical
Azure.APIM.SampleProducts Remove starter and unlimited sample products. Awareness
Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. Important
Azure.AppConfig.DisableLocalAuth Access keys allow depersonalized access to App Configuration using a shared secret. Important
Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. Important
Azure.AppConfig.Name App Configuration store names should meet naming requirements. Awareness
Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. Important
Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. Important
Azure.AppGw.AvailabilityZone Application Gateway (App Gateway) should use availability zones in supported regions for improved resiliency. Important
Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. Important
Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. Important
Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. Important
Azure.AppGw.Name Application Gateways should meet naming requirements. Awareness
Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. Important
Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. Critical
Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. Critical
Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. Critical
Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. Critical
Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical
Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. Important
Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. Critical
Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. Critical
Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. Awareness
Azure.AppInsights.Workspace Configure Application Insights resources to store data in a workspace. Important
Azure.AppService.AlwaysOn Configure Always On for App Service apps. Important
Azure.AppService.ARRAffinity Disable client affinity for stateless services. Awareness
Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. Awareness
Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.AppService.MinPlan Use at least a Standard App Service Plan. Important
Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. Critical
Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. Important
Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. Important
Azure.AppService.UseHTTPS Unencrypted communication could allow disclosure of information to an untrusted party. Important
Azure.AppService.WebProbe Configure and enable instance health probes. Important
Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. Important
Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. Important
Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. Important
Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. Awareness
Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. Important
Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. Important
Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. Important
Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. Important
Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). Awareness
Azure.Bastion.Name Bastion hosts should meet naming requirements. Awareness
Azure.BV.Immutable Ensure immutability is configured to protect backup data. Important
Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. Awareness
Azure.CDN.HTTP Unencrypted communication could allow disclosure of information to an untrusted party. Important
Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. Important
Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. Important
Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. Important
Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. Awareness
Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. Important
Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. Important
Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. Important
Azure.ContainerApp.Name Container Apps should meet naming requirements. Awareness
Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. Important
Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. Important
Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. Awareness
Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. Awareness
Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. Critical
Azure.Cosmos.DisableMetadataWrite Use Entra ID identities for management place operations in Azure Cosmos DB. Important
Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. Critical
Azure.DataFactory.Version Consider migrating to DataFactory v2. Awareness
Azure.Defender.Api Enable Microsoft Defender for APIs. Critical
Azure.Defender.AppServices Enable Microsoft Defender for App Service. Critical
Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). Critical
Azure.Defender.Containers Enable Microsoft Defender for Containers. Critical
Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. Critical
Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. Critical
Azure.Defender.Dns Enable Microsoft Defender for DNS. Critical
Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. Critical
Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. Critical
Azure.Defender.Servers Enable Microsoft Defender for Servers. Critical
Azure.Defender.SQL Enable Microsoft Defender for SQL servers. Critical
Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. Critical
Azure.Defender.Storage Enable Microsoft Defender for Storage. Critical
Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. Important
Azure.Deployment.AdminUsername A sensitive property set from deterministic or hardcoded values is not secure. Awareness
Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. Awareness
Azure.Deployment.OuterSecret Outer evaluation deployments may leak secrets exposed as secure parameters into logs and nested deployments. Critical
Azure.Deployment.OutputSecretValue Outputting a sensitive value from deployment may leak secrets into deployment history or logs. Critical
Azure.Deployment.SecureParameter Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs. Critical
Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. Important
Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. Important
Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. Important
Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. Important
Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. Critical
Azure.EventHub.Usage Regularly remove unused resources to reduce costs. Important
Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. Critical
Azure.Firewall.Name Firewall names should meet naming requirements. Awareness
Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. Critical
Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. Awareness
Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. Important
Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. Critical
Azure.FrontDoor.Name Front Door names should meet naming requirements. Awareness
Azure.FrontDoor.Probe Use health probes to check the health of each backend. Important
Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. Important
Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. Important
Azure.FrontDoor.State Enable Azure Front Door Classic instance. Important
Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. Important
Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. Critical
Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical
Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. Awareness
Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. Critical
Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. Critical
Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Critical
Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. Awareness
Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. Critical
Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. Important
Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. Important
Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. Important
Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. Awareness
Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. Important
Azure.KeyVault.Name Key Vault names should meet naming requirements. Awareness
Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. Important
Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. Awareness
Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. Awareness
Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. Important
Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. Important
Azure.LB.Name Load Balancer names should meet naming requirements. Awareness
Azure.LB.Probe Use a specific probe for web protocols. Important
Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. Important
Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. Critical
Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. Awareness
Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. Important
Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. Awareness
Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. Important
Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. Critical
Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. Awareness
Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. Critical
Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. Awareness
Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. Critical
Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). Critical
Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. Critical
Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. Critical
Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. Important
Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. Important
Azure.MySQL.AAD Use Entra ID authentication with Azure Database for MySQL databases. Critical
Azure.MySQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. Important
Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. Important
Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. Important
Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. Critical
Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. Awareness
Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. Important
Azure.MySQL.UseSSL Enforce encrypted MySQL connections. Critical
Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. Awareness
Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. Awareness
Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. Awareness
Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. Awareness
Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. Critical
Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. Awareness
Azure.NSG.DenyAllInbound When all inbound traffic is denied, some functions that affect the reliability of your service may not work as expected. Important
Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. Important
Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. Awareness
Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. Awareness
Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. Awareness
Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. Awareness
Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. Awareness
Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. Awareness
Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. Critical
Azure.PostgreSQL.AADOnly Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. Important
Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. Important
Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. Important
Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. Important
Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. Critical
Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. Awareness
Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. Critical
Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. Awareness
Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. Important
Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. Awareness
Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. Important
Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. Important
Azure.PublicIP.Name Public IP names should meet naming requirements. Awareness
Azure.PublicIP.StandardSKU The basic SKU is being retired on 30 September 2025, and does not include several reliability and security features. Important
Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). Important
Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. Important
Azure.RBAC.LimitOwner Limit the number of subscription Owners. Important
Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. Important
Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. Important
Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. Important
Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. Important
Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. Critical
Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. Awareness
Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. Important
Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. Important
Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical
Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. Critical
Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. Critical
Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. Important
Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. Critical
Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. Important
Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. Important
Azure.Resource.UseTags Azure resources should be tagged using a standard convention. Awareness
Azure.ResourceGroup.Name Resource Group names should meet naming requirements. Awareness
Azure.Route.Name Route table names should meet naming requirements. Awareness
Azure.RSV.Immutable Ensure immutability is configured to protect backup data. Important
Azure.RSV.Name Recovery Services vaults should meet naming requirements. Awareness
Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. Important
Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. Important
Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. Important
Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. Important
Azure.Search.Name AI Search service names should meet naming requirements. Awareness
Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. Important
Azure.Search.SKU Use the basic and standard tiers for entry level workloads. Critical
Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. Important
Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. Important
Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. Important
Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. Important
Azure.ServiceFabric.AAD Use Entra ID client authentication for Service Fabric clusters. Critical
Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. Important
Azure.SignalR.Name SignalR service instance names should meet naming requirements. Awareness
Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. Important
Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. Critical
Azure.SQL.AADOnly Ensure Entra ID only authentication is enabled with Azure SQL Database. Important
Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. Important
Azure.SQL.Auditing Enable auditing for Azure SQL logical server. Important
Azure.SQL.DBName Azure SQL Database names should meet naming requirements. Awareness
Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. Important
Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. Awareness
Azure.SQL.FirewallIPRange Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. Important
Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. Awareness
Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. Critical
Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. Awareness
Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. Critical
Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. Critical
Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. Important
Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. Important
Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. Awareness
Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. Important
Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. Important
Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. Important
Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. Critical
Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. Important
Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. Important
Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. Critical
Azure.Storage.Name Storage Account names should meet naming requirements. Awareness
Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. Important
Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. Important
Azure.Storage.UseReplication Storage Accounts using the LRS SKU are only replicated within a single zone. Important
Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. Awareness
Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. Awareness
Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. Awareness
Azure.Template.LocationType Location parameters should use a string value. Important
Azure.Template.MetadataLink Configure a metadata link for each parameter file. Important
Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. Important
Azure.Template.ParameterFile Use ARM template parameter files that are valid. Important
Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. Awareness
Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. Important
Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. Awareness
Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. Awareness
Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. Awareness
Azure.Template.ResourceLocation Resource locations should be an expression or global. Awareness
Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. Awareness
Azure.Template.TemplateFile Use ARM template files that are valid. Important
Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. Awareness
Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. Awareness
Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. Awareness
Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. Awareness
Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. Awareness
Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. Important
Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. Important
Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. Important
Azure.VM.ADE Use Azure Disk Encryption (ADE). Important
Azure.VM.Agent Ensure the VM agent is provisioned automatically. Important
Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. Important
Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. Important
Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). Important
Azure.VM.ASName Availability Set names should meet naming requirements. Awareness
Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. Important
Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. Awareness
Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. Important
Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. Important
Azure.VM.DiskName Managed Disk names should meet naming requirements. Awareness
Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. Awareness
Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important
Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. Awareness
Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. Awareness
Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. Awareness
Azure.VM.PublicKey Linux virtual machines should use public keys. Important
Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important
Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. Important
Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. Important
Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. Important
Azure.VM.Updates Ensure automatic updates are enabled at deployment. Important
Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. Awareness
Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. Important
Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. Important
Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. Awareness
Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. Important
Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. Awareness
Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. Important
Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. Important
Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Important
Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. Important
Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. Important
Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. Awareness
Azure.VNET.PeerState VNET peering connections must be connected. Important
Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. Important
Azure.VNET.SubnetName Subnet names should meet naming requirements. Awareness
Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Critical
Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. Awareness
Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. Important
Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. Critical
Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. Awareness
Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. Important
Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. Important
Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. Critical
Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. Awareness
Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. Important
Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. Important