Reference#
The following rules and features are included in PSRule for Azure.
Info
The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.
Rules#
The following rules are included in PSRule for Azure.
| Reference | Name | Synopsis | Release |
|---|---|---|---|
| AZR-000001 | Azure.ACR.Usage | Regularly remove deprecated and unneeded images to reduce storage usage. | GA |
| AZR-000002 | Azure.ACR.ContainerScan | Container images or their base images may have vulnerabilities discovered after they are built. | GA |
| AZR-000003 | Azure.ACR.ImageHealth | Remove container images with known vulnerabilities. | GA |
| AZR-000004 | Azure.ACR.GeoReplica | Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start. | GA |
| AZR-000005 | Azure.ACR.AdminUser | The local admin account allows depersonalized access to a container registry using a shared secret. | GA |
| AZR-000006 | Azure.ACR.MinSku | ACR should use the Premium or Standard SKU for production deployments. | GA |
| AZR-000007 | Azure.ACR.Name | Container registry names should meet naming requirements. | GA |
| AZR-000008 | Azure.ACR.Quarantine | Enable container image quarantine, scan, and mark images as verified. | Preview |
| AZR-000009 | Azure.ACR.ContentTrust | Use container images signed by a trusted image publisher. | GA |
| AZR-000010 | Azure.ACR.Retention | Use a retention policy to cleanup untagged manifests. | Preview |
| AZR-000011 | Azure.ADX.Usage | Regularly remove unused resources to reduce costs. | GA |
| AZR-000012 | Azure.ADX.ManagedIdentity | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | GA |
| AZR-000013 | Azure.ADX.DiskEncryption | Use disk encryption for Azure Data Explorer (ADX) clusters. | GA |
| AZR-000014 | Azure.ADX.SLA | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | GA |
| AZR-000015 | Azure.AKS.Version | AKS control plane and nodes pools should use a current stable release. | GA |
| AZR-000016 | Azure.AKS.PoolVersion | AKS node pools should match Kubernetes control plane version. | GA |
| AZR-000017 | Azure.AKS.PoolScaleSet | Deploy AKS clusters with nodes pools based on VM scale sets. | GA |
| AZR-000018 | Azure.AKS.NodeMinPods | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | GA |
| AZR-000019 | Azure.AKS.AutoScaling | Use autoscaling to scale clusters based on workload requirements. | GA |
| AZR-000020 | Azure.AKS.CNISubnetSize | AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. | GA |
| AZR-000021 | Azure.AKS.AvailabilityZone | AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. | GA |
| AZR-000022 | Azure.AKS.AuditLogs | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | GA |
| AZR-000023 | Azure.AKS.PlatformLogs | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | GA |
| AZR-000024 | Azure.AKS.MinNodeCount | AKS clusters should have minimum number of system nodes for failover and updates. | GA |
| AZR-000025 | Azure.AKS.ManagedIdentity | Configure AKS clusters to use managed identities for managing cluster infrastructure. | GA |
| AZR-000026 | Azure.AKS.StandardLB | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | GA |
| AZR-000027 | Azure.AKS.NetworkPolicy | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | GA |
| AZR-000028 | Azure.AKS.AzurePolicyAddOn | Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. | GA |
| AZR-000029 | Azure.AKS.ManagedAAD | Use AKS-managed Azure AD to simplify authorization and improve security. | GA |
| AZR-000030 | Azure.AKS.AuthorizedIPs | Restrict access to API server endpoints to authorized IP addresses. | GA |
| AZR-000031 | Azure.AKS.LocalAccounts | Enforce named user accounts with RBAC assigned permissions. | GA |
| AZR-000032 | Azure.AKS.AzureRBAC | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | GA |
| AZR-000033 | Azure.AKS.SecretStore | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | GA |
| AZR-000034 | Azure.AKS.SecretStoreRotation | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | GA |
| AZR-000035 | Azure.AKS.HttpAppRouting | Disable HTTP application routing add-on in AKS clusters. | GA |
| AZR-000036 | Azure.AKS.AutoUpgrade | Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. | GA |
| AZR-000038 | Azure.AKS.UseRBAC | Deploy AKS cluster with role-based access control (RBAC) enabled. | GA |
| AZR-000039 | Azure.AKS.Name | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | GA |
| AZR-000040 | Azure.AKS.DNSPrefix | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | GA |
| AZR-000041 | Azure.AKS.ContainerInsights | Enable Container insights to monitor AKS cluster workloads. | GA |
| AZR-000042 | Azure.APIM.HTTPEndpoint | Unencrypted communication could allow disclosure of information to an untrusted party. | GA |
| AZR-000043 | Azure.APIM.APIDescriptors | APIs should have a display name and description. | GA |
| AZR-000044 | Azure.APIM.HTTPBackend | Unencrypted communication could allow disclosure of information to an untrusted party. | GA |
| AZR-000045 | Azure.APIM.EncryptValues | Encrypt all API Management named values with Key Vault secrets. | GA |
| AZR-000046 | Azure.APIM.ProductSubscription | Configure products to require a subscription. | GA |
| AZR-000047 | Azure.APIM.ProductApproval | Configure products to require approval. | GA |
| AZR-000048 | Azure.APIM.SampleProducts | Remove starter and unlimited sample products. | GA |
| AZR-000049 | Azure.APIM.ProductDescriptors | API Management products should have a display name and description. | GA |
| AZR-000050 | Azure.APIM.ProductTerms | Set legal terms for each product registered in API Management. | GA |
| AZR-000051 | Azure.APIM.CertificateExpiry | Renew certificates used for custom domain bindings. | GA |
| AZR-000052 | Azure.APIM.AvailabilityZone | API Management instances should use availability zones in supported regions for high availability. | GA |
| AZR-000053 | Azure.APIM.ManagedIdentity | Configure managed identities to access Azure resources. | GA |
| AZR-000054 | Azure.APIM.Protocols | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | GA |
| AZR-000055 | Azure.APIM.Ciphers | API Management should not accept weak or deprecated ciphers for client or backend communication. | GA |
| AZR-000056 | Azure.APIM.Name | API Management service names should meet naming requirements. | GA |
| AZR-000057 | Azure.AppConfig.SKU | App Configuration should use a minimum size of Standard. | GA |
| AZR-000058 | Azure.AppConfig.Name | App Configuration store names should meet naming requirements. | GA |
| AZR-000059 | Azure.AppGw.UseHTTPS | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | GA |
| AZR-000060 | Azure.AppGw.AvailabilityZone | Application Gateway (App Gateway) should use availability zones in supported regions for improved resiliency. | GA |
| AZR-000061 | Azure.AppGw.MinInstance | Application Gateways should use a minimum of two instances. | GA |
| AZR-000062 | Azure.AppGw.MinSku | Application Gateway should use a minimum instance size of Medium. | GA |
| AZR-000063 | Azure.AppGw.UseWAF | Internet accessible Application Gateways should use protect endpoints with WAF. | GA |
| AZR-000064 | Azure.AppGw.SSLPolicy | Application Gateway should only accept a minimum of TLS 1.2. | GA |
| AZR-000065 | Azure.AppGw.Prevention | Internet exposed Application Gateways should use prevention mode to protect backend resources. | GA |
| AZR-000066 | Azure.AppGw.WAFEnabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | GA |
| AZR-000067 | Azure.AppGw.OWASP | Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. | GA |
| AZR-000068 | Azure.AppGw.WAFRules | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA |
| AZR-000069 | Azure.AppInsights.Workspace | Configure Application Insights resources to store data in a workspace. | GA |
| AZR-000070 | Azure.AppInsights.Name | Azure Application Insights resources names should meet naming requirements. | GA |
| AZR-000071 | Azure.AppService.PlanInstanceCount | App Service Plan should use a minimum number of instances for failover. | GA |
| AZR-000072 | Azure.AppService.MinPlan | Use at least a Standard App Service Plan. | GA |
| AZR-000073 | Azure.AppService.MinTLS | App Service should reject TLS versions older than 1.2. | GA |
| AZR-000074 | Azure.AppService.RemoteDebug | Disable remote debugging on App Service apps when not in use. | GA |
| AZR-000075 | Azure.AppService.NETVersion | Configure applications to use newer .NET versions. | GA |
| AZR-000076 | Azure.AppService.PHPVersion | Configure applications to use newer PHP runtime versions. | GA |
| AZR-000077 | Azure.AppService.AlwaysOn | Configure Always On for App Service apps. | GA |
| AZR-000078 | Azure.AppService.HTTP2 | Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. | GA |
| AZR-000079 | Azure.AppService.WebProbe | Configure and enable instance health probes. | GA |
| AZR-000080 | Azure.AppService.WebProbePath | Configure a dedicated path for health probe requests. | GA |
| AZR-000081 | Azure.AppService.WebSecureFtp | Web apps should disable insecure FTP and configure SFTP when required. | GA |
| AZR-000082 | Azure.AppService.ManagedIdentity | Configure managed identities to access Azure resources. | GA |
| AZR-000083 | Azure.AppService.ARRAffinity | Disable client affinity for stateless services. | GA |
| AZR-000084 | Azure.AppService.UseHTTPS | Unencrypted communication could allow disclosure of information to an untrusted party. | GA |
| AZR-000085 | Azure.ASG.Name | Application Security Group (ASG) names should meet naming requirements. | GA |
| AZR-000086 | Azure.Automation.EncryptVariables | Azure Automation variables should be encrypted. | GA |
| AZR-000087 | Azure.Automation.WebHookExpiry | Do not create webhooks with an expiry time greater than 1 year (default). | GA |
| AZR-000088 | Azure.Automation.AuditLogs | Ensure automation account audit diagnostic logs are enabled. | GA |
| AZR-000089 | Azure.Automation.PlatformLogs | Ensure automation account platform diagnostic logs are enabled. | GA |
| AZR-000090 | Azure.Automation.ManagedIdentity | Ensure Managed Identity is used for authentication. | GA |
| AZR-000091 | Azure.CDN.EndpointName | Azure CDN Endpoint names should meet naming requirements. | GA |
| AZR-000092 | Azure.CDN.MinTLS | Azure CDN endpoints should reject TLS versions older than 1.2. | GA |
| AZR-000093 | Azure.CDN.HTTP | Unencrypted communication could allow disclosure of information to an untrusted party. | GA |
| AZR-000094 | Azure.ContainerApp.Insecure | Ensure insecure inbound traffic is not permitted to the container app. | GA |
| AZR-000095 | Azure.Cosmos.DisableMetadataWrite | Use Entra ID identities for management place operations in Azure Cosmos DB. | GA |
| AZR-000096 | Azure.Cosmos.AccountName | Cosmos DB account names should meet naming requirements. | GA |
| AZR-000097 | Azure.DataFactory.Version | Consider migrating to DataFactory v2. | GA |
| AZR-000098 | Azure.EventGrid.TopicPublicAccess | Use Private Endpoints to access Event Grid topics and domains. | GA |
| AZR-000099 | Azure.EventGrid.ManagedIdentity | Use managed identities to deliver Event Grid Topic events. | GA |
| AZR-000100 | Azure.EventGrid.DisableLocalAuth | Authenticate publishing clients with Azure AD identities. | GA |
| AZR-000101 | Azure.EventHub.Usage | Regularly remove unused resources to reduce costs. | GA |
| AZR-000102 | Azure.EventHub.DisableLocalAuth | Authenticate Event Hub publishers and consumers with Entra ID identities. | GA |
| AZR-000103 | Azure.Firewall.Name | Firewall names should meet naming requirements. | GA |
| AZR-000104 | Azure.Firewall.PolicyName | Firewall policy names should meet naming requirements. | GA |
| AZR-000105 | Azure.Firewall.Mode | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | GA |
| AZR-000106 | Azure.FrontDoor.MinTLS | Front Door Classic instances should reject TLS versions older than 1.2. | GA |
| AZR-000107 | Azure.FrontDoor.Logs | Audit and monitor access through Azure Front Door profiles. | GA |
| AZR-000108 | Azure.FrontDoor.Probe | Use health probes to check the health of each backend. | GA |
| AZR-000109 | Azure.FrontDoor.ProbeMethod | Configure health probes to use HEAD requests to reduce performance overhead. | GA |
| AZR-000110 | Azure.FrontDoor.ProbePath | Configure a dedicated path for health probe requests. | GA |
| AZR-000111 | Azure.FrontDoor.UseWAF | Enable Web Application Firewall (WAF) policies on each Front Door endpoint. | GA |
| AZR-000112 | Azure.FrontDoor.State | Enable Azure Front Door Classic instance. | GA |
| AZR-000113 | Azure.FrontDoor.Name | Front Door names should meet naming requirements. | GA |
| AZR-000114 | Azure.FrontDoor.WAF.Mode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA |
| AZR-000115 | Azure.FrontDoor.WAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | GA |
| AZR-000116 | Azure.FrontDoor.WAF.Name | Front Door WAF policy names should meet naming requirements. | GA |
| AZR-000117 | Azure.Identity.UserAssignedName | Managed Identity names should meet naming requirements. | GA |
| AZR-000118 | Azure.KeyVault.AccessPolicy | Use the principal of least privilege when assigning access to Key Vault. | GA |
| AZR-000119 | Azure.KeyVault.Logs | Ensure audit diagnostics logs are enabled to audit Key Vault access. | GA |
| AZR-000120 | Azure.KeyVault.Name | Key Vault names should meet naming requirements. | GA |
| AZR-000121 | Azure.KeyVault.SecretName | Key Vault Secret names should meet naming requirements. | GA |
| AZR-000122 | Azure.KeyVault.KeyName | Key Vault Key names should meet naming requirements. | GA |
| AZR-000123 | Azure.KeyVault.AutoRotationPolicy | Key Vault keys should have auto-rotation enabled. | GA |
| AZR-000124 | Azure.KeyVault.SoftDelete | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | GA |
| AZR-000125 | Azure.KeyVault.PurgeProtect | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | GA |
| AZR-000126 | Azure.LB.Probe | Use a specific probe for web protocols. | GA |
| AZR-000127 | Azure.LB.AvailabilityZone | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | GA |
| AZR-000128 | Azure.LB.StandardSKU | Load balancers should be deployed with Standard SKU for production workloads. | GA |
| AZR-000129 | Azure.LB.Name | Load Balancer names should meet naming requirements. | GA |
| AZR-000130 | Azure.LogicApp.LimitHTTPTrigger | Limit HTTP request trigger access to trusted IP addresses. | GA |
| AZR-000131 | Azure.MySQL.UseSSL | Enforce encrypted MySQL connections. | GA |
| AZR-000132 | Azure.MySQL.MinTLS | MySQL DB servers should reject TLS versions older than 1.2. | GA |
| AZR-000133 | Azure.MySQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | GA |
| AZR-000134 | Azure.MySQL.AllowAzureAccess | Determine if access from Azure services is required. | GA |
| AZR-000135 | Azure.MySQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | GA |
| AZR-000136 | Azure.MySQL.ServerName | Azure MySQL DB server names should meet naming requirements. | GA |
| AZR-000137 | Azure.NSG.AnyInboundSource | Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. | GA |
| AZR-000138 | Azure.NSG.DenyAllInbound | When all inbound traffic is denied, some functions that affect the reliability of your service may not work as expected. | GA |
| AZR-000139 | Azure.NSG.LateralTraversal | Deny outbound management connections from non-management hosts. | GA |
| AZR-000140 | Azure.NSG.Associated | Network Security Groups (NSGs) should be associated to a subnet or network interface. | GA |
| AZR-000141 | Azure.NSG.Name | Network Security Group (NSG) names should meet naming requirements. | GA |
| AZR-000142 | Azure.Policy.Descriptors | Policy and initiative definitions should use a display name, description, and category. | GA |
| AZR-000143 | Azure.Policy.AssignmentDescriptors | Policy assignments should use a display name and description. | GA |
| AZR-000144 | Azure.Policy.AssignmentAssignedBy | Policy assignments should use assignedBy metadata. | GA |
| AZR-000145 | Azure.Policy.ExemptionDescriptors | Policy exemptions should use a display name and description. | GA |
| AZR-000146 | Azure.Policy.WaiverExpiry | Configure policy waiver exemptions to expire. | GA |
| AZR-000147 | Azure.PostgreSQL.UseSSL | Enforce encrypted PostgreSQL connections. | GA |
| AZR-000148 | Azure.PostgreSQL.MinTLS | PostgreSQL DB servers should reject TLS versions older than 1.2. | GA |
| AZR-000149 | Azure.PostgreSQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | GA |
| AZR-000150 | Azure.PostgreSQL.AllowAzureAccess | Determine if access from Azure services is required. | GA |
| AZR-000151 | Azure.PostgreSQL.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | GA |
| AZR-000152 | Azure.PostgreSQL.ServerName | Azure PostgreSQL DB server names should meet naming requirements. | GA |
| AZR-000153 | Azure.PrivateEndpoint.Name | Private Endpoint names should meet naming requirements. | GA |
| AZR-000154 | Azure.PublicIP.IsAttached | Public IP addresses should be attached or cleaned up if not in use. | GA |
| AZR-000155 | Azure.PublicIP.Name | Public IP names should meet naming requirements. | GA |
| AZR-000156 | Azure.PublicIP.DNSLabel | Public IP domain name labels should meet naming requirements. | GA |
| AZR-000157 | Azure.PublicIP.AvailabilityZone | Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. | GA |
| AZR-000158 | Azure.PublicIP.StandardSKU | The basic SKU is being retired on 30 September 2025, and does not include several reliability and security features. | GA |
| AZR-000159 | Azure.Redis.MinSKU | Use Azure Cache for Redis instances of at least Standard C1. | GA |
| AZR-000160 | Azure.Redis.MaxMemoryReserved | Configure maxmemory-reserved to reserve memory for non-cache operations. | GA |
| AZR-000161 | Azure.Redis.AvailabilityZone | Premium Redis cache should be deployed with availability zones for high availability. | GA |
| AZR-000162 | Azure.RedisEnterprise.Zones | Enterprise Redis cache should be zone-redundant for high availability. | GA |
| AZR-000163 | Azure.Redis.NonSslPort | Azure Cache for Redis should only accept secure connections. | GA |
| AZR-000164 | Azure.Redis.MinTLS | Redis Cache should reject TLS versions older than 1.2. | GA |
| AZR-000165 | Azure.Redis.PublicNetworkAccess | Redis cache should disable public network access. | GA |
| AZR-000166 | Azure.Resource.UseTags | Azure resources should be tagged using a standard convention. | GA |
| AZR-000167 | Azure.Resource.AllowedRegions | Resources should be deployed to allowed regions. | GA |
| AZR-000168 | Azure.ResourceGroup.Name | Resource Group names should meet naming requirements. | GA |
| AZR-000169 | Azure.Route.Name | Route table names should meet naming requirements. | GA |
| AZR-000170 | Azure.RSV.StorageType | Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. | GA |
| AZR-000171 | Azure.RSV.ReplicationAlert | Recovery Services Vaults (RSV) without replication alerts configured may be at risk. | GA |
| AZR-000172 | Azure.Search.SKU | Use the basic and standard tiers for entry level workloads. | GA |
| AZR-000173 | Azure.Search.QuerySLA | Use a minimum of 2 replicas to receive an SLA for index queries. | GA |
| AZR-000174 | Azure.Search.IndexSLA | Use a minimum of 3 replicas to receive an SLA for query and index updates. | GA |
| AZR-000175 | Azure.Search.ManagedIdentity | Configure managed identities to access Azure resources. | GA |
| AZR-000176 | Azure.Search.Name | AI Search service names should meet naming requirements. | GA |
| AZR-000177 | Azure.ServiceBus.Usage | Regularly remove unused resources to reduce costs. | GA |
| AZR-000178 | Azure.ServiceBus.DisableLocalAuth | Authenticate Service Bus publishers and consumers with Entra ID identities. | GA |
| AZR-000179 | Azure.ServiceFabric.AAD | Use Entra ID client authentication for Service Fabric clusters. | GA |
| AZR-000180 | Azure.SignalR.Name | SignalR service instance names should meet naming requirements. | GA |
| AZR-000181 | Azure.SignalR.ManagedIdentity | Configure SignalR Services to use managed identities to access Azure resources securely. | GA |
| AZR-000182 | Azure.SignalR.SLA | Use SKUs that include an SLA when configuring SignalR Services. | GA |
| AZR-000183 | Azure.SQL.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | GA |
| AZR-000184 | Azure.SQL.AllowAzureAccess | Determine if access from Azure services is required. | GA |
| AZR-000185 | Azure.SQL.FirewallIPRange | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | GA |
| AZR-000186 | Azure.SQL.DefenderCloud | Enable Microsoft Defender for Azure SQL logical server. | GA |
| AZR-000187 | Azure.SQL.Auditing | Enable auditing for Azure SQL logical server. | GA |
| AZR-000188 | Azure.SQL.AAD | Use Entra ID authentication with Azure SQL databases. | GA |
| AZR-000189 | Azure.SQL.MinTLS | Azure SQL Database servers should reject TLS versions older than 1.2. | GA |
| AZR-000190 | Azure.SQL.ServerName | Azure SQL logical server names should meet naming requirements. | GA |
| AZR-000191 | Azure.SQL.TDE | Use Transparent Data Encryption (TDE) with Azure SQL Database. | GA |
| AZR-000192 | Azure.SQL.DBName | Azure SQL Database names should meet naming requirements. | GA |
| AZR-000193 | Azure.SQL.FGName | Azure SQL failover group names should meet naming requirements. | GA |
| AZR-000194 | Azure.SQLMI.Name | SQL Managed Instance names should meet naming requirements. | GA |
| AZR-000195 | Azure.Storage.UseReplication | Storage Accounts using the LRS SKU are only replicated within a single zone. | GA |
| AZR-000196 | Azure.Storage.SecureTransfer | Storage accounts should only accept encrypted connections. | GA |
| AZR-000197 | Azure.Storage.SoftDelete | Enable blob soft delete on Storage Accounts. | GA |
| AZR-000198 | Azure.Storage.BlobPublicAccess | Storage Accounts should only accept authorized requests. | GA |
| AZR-000199 | Azure.Storage.BlobAccessType | Use containers configured with a private access type that requires authorization. | GA |
| AZR-000200 | Azure.Storage.MinTLS | Storage Accounts should reject TLS versions older than 1.2. | GA |
| AZR-000201 | Azure.Storage.Name | Storage Account names should meet naming requirements. | GA |
| AZR-000202 | Azure.Storage.Firewall | Storage Accounts should only accept explicitly allowed traffic. | GA |
| AZR-000203 | Azure.RBAC.UseGroups | Use groups for assigning permissions instead of individual user accounts. | GA |
| AZR-000204 | Azure.RBAC.LimitOwner | Limit the number of subscription Owners. | GA |
| AZR-000205 | Azure.RBAC.LimitMGDelegation | Limit Role-Base Access Control (RBAC) inheritance from Management Groups. | GA |
| AZR-000206 | Azure.RBAC.CoAdministrator | Delegate access to manage Azure resources using role-based access control (RBAC). | GA |
| AZR-000207 | Azure.RBAC.UseRGDelegation | Use RBAC assignments on resource groups instead of individual resources. | GA |
| AZR-000208 | Azure.RBAC.PIM | Use just-in-time (JiT) activation of roles instead of persistent role assignment. | GA |
| AZR-000209 | Azure.Defender.SecurityContact | Important security notifications may be lost or not processed in a timely manner when a clear security contact is not identified. | GA |
| AZR-000210 | Azure.DefenderCloud.Provisioning | Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. | GA |
| AZR-000211 | Azure.Monitor.ServiceHealth | Configure Service Health alerts to notify administrators. | GA |
| AZR-000212 | Azure.Template.TemplateFile | Use ARM template files that are valid. | GA |
| AZR-000213 | Azure.Template.TemplateSchema | Use a more recent version of the Azure template schema. | GA |
| AZR-000214 | Azure.Template.TemplateScheme | Use an Azure template file schema with the https scheme. | GA |
| AZR-000215 | Azure.Template.ParameterMetadata | Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. | GA |
| AZR-000216 | Azure.Template.Resources | Each Azure Resource Manager (ARM) template file should deploy at least one resource. | GA |
| AZR-000217 | Azure.Template.UseParameters | Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. | deprecated |
| AZR-000218 | Azure.Template.DefineParameters | Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. | deprecated |
| AZR-000219 | Azure.Template.UseVariables | Each Azure Resource Manager (ARM) template variable should be used or removed from template files. | deprecated |
| AZR-000220 | Azure.Template.LocationDefault | Set the default value for the location parameter within an ARM template to resource group location. | GA |
| AZR-000221 | Azure.Template.LocationType | Location parameters should use a string value. | GA |
| AZR-000222 | Azure.Template.ResourceLocation | Resource locations should be an expression or global. | GA |
| AZR-000223 | Azure.Template.UseLocationParameter | Template should reference a location parameter to specify resource location. | GA |
| AZR-000224 | Azure.Template.ParameterMinMaxValue | Template parameters minValue and maxValue constraints must be valid. | GA |
| AZR-000225 | Azure.Template.DebugDeployment | Use default deployment detail level for nested deployments. | GA |
| AZR-000226 | Azure.Template.ParameterDataTypes | Set the parameter default value to a value of the same type. | GA |
| AZR-000227 | Azure.Template.ParameterStrongType | Set the parameter value to a value that matches the specified strong type. | GA |
| AZR-000228 | Azure.Template.ExpressionLength | Template expressions should not exceed the maximum length. | GA |
| AZR-000229 | Azure.Template.ParameterFile | Use ARM template parameter files that are valid. | GA |
| AZR-000230 | Azure.Template.ParameterScheme | Use an Azure template parameter file schema with the https scheme. | GA |
| AZR-000231 | Azure.Template.MetadataLink | Configure a metadata link for each parameter file. | GA |
| AZR-000232 | Azure.Template.ParameterValue | Specify a value for each parameter in template parameter files. | GA |
| AZR-000233 | Azure.Template.ValidSecretRef | Use a valid secret reference within parameter files. | deprecated |
| AZR-000234 | Azure.Template.UseComments | Use comments for each resource in ARM template to communicate purpose. | GA |
| AZR-000235 | Azure.Template.UseDescriptions | Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. | GA |
| AZR-000236 | Azure.TrafficManager.Endpoints | Traffic Manager should use at lest two enabled endpoints. | GA |
| AZR-000237 | Azure.TrafficManager.Protocol | Monitor Traffic Manager web-based endpoints with HTTPS. | GA |
| AZR-000238 | Azure.VM.UseManagedDisks | Virtual machines (VMs) should use managed disks. | GA |
| AZR-000239 | Azure.VM.Standalone | Use VM features to increase reliability and improve covered SLA for VM configurations. | GA |
| AZR-000240 | Azure.VM.PromoSku | Virtual machines (VMs) should not use expired promotional SKU. | GA |
| AZR-000241 | Azure.VM.BasicSku | Virtual machines (VMs) should not use Basic sizes. | GA |
| AZR-000242 | Azure.VM.DiskCaching | Check disk caching is configured correctly for the workload. | GA |
| AZR-000243 | Azure.VM.UseHybridUseBenefit | Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. | GA |
| AZR-000244 | Azure.VM.AcceleratedNetworking | Use accelerated networking for supported operating systems and VM types. | GA |
| AZR-000245 | Azure.VM.PublicKey | Linux virtual machines should use public keys. | GA |
| AZR-000246 | Azure.VM.Agent | Ensure the VM agent is provisioned automatically. | GA |
| AZR-000247 | Azure.VM.Updates | Ensure automatic updates are enabled at deployment. | GA |
| AZR-000248 | Azure.VM.Name | Virtual Machine (VM) names should meet naming requirements. | GA |
| AZR-000249 | Azure.VM.ComputerName | Virtual Machine (VM) computer name should meet naming requirements. | GA |
| AZR-000250 | Azure.VM.DiskAttached | Managed disks should be attached to virtual machines or removed. | GA |
| AZR-000251 | Azure.VM.DiskSizeAlignment | Align to the Managed Disk billing increments to improve cost efficiency. | GA |
| AZR-000252 | Azure.VM.ADE | Use Azure Disk Encryption (ADE). | GA |
| AZR-000253 | Azure.VM.DiskName | Managed Disk names should meet naming requirements. | GA |
| AZR-000254 | Azure.VM.ASAlignment | Use availability sets aligned with managed disks fault domains. | GA |
| AZR-000255 | Azure.VM.ASMinMembers | Availability sets should be deployed with at least two virtual machines (VMs). | GA |
| AZR-000256 | Azure.VM.ASName | Availability Set names should meet naming requirements. | GA |
| AZR-000257 | Azure.NIC.Attached | Network interfaces (NICs) that are not used should be removed. | GA |
| AZR-000258 | Azure.NIC.UniqueDns | Network interfaces (NICs) should inherit DNS from virtual networks. | GA |
| AZR-000259 | Azure.NIC.Name | Network Interface (NIC) names should meet naming requirements. | GA |
| AZR-000260 | Azure.VM.PPGName | Proximity Placement Group (PPG) names should meet naming requirements. | GA |
| AZR-000261 | Azure.VMSS.Name | Virtual Machine Scale Set (VMSS) names should meet naming requirements. | GA |
| AZR-000262 | Azure.VMSS.ComputerName | Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. | GA |
| AZR-000263 | Azure.VNET.UseNSGs | Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. | GA |
| AZR-000264 | Azure.VNET.SingleDNS | Virtual networks (VNETs) should have at least two DNS servers assigned. | GA |
| AZR-000265 | Azure.VNET.LocalDNS | Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. | GA |
| AZR-000266 | Azure.VNET.PeerState | VNET peering connections must be connected. | GA |
| AZR-000267 | Azure.VNET.SubnetName | Subnet names should meet naming requirements. | GA |
| AZR-000268 | Azure.VNET.Name | Virtual Network (VNET) names should meet naming requirements. | GA |
| AZR-000269 | Azure.VNG.VPNLegacySKU | Migrate from legacy SKUs to improve reliability and performance of VPN gateways. | GA |
| AZR-000270 | Azure.VNG.VPNActiveActive | Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. | GA |
| AZR-000271 | Azure.VNG.ERLegacySKU | Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. | GA |
| AZR-000272 | Azure.VNG.VPNAvailabilityZoneSKU | Use availability zone SKU for virtual network gateways deployed with VPN gateway type. | GA |
| AZR-000273 | Azure.VNG.ERAvailabilityZoneSKU | Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. | GA |
| AZR-000274 | Azure.VNG.Name | Virtual Network Gateway (VNG) names should meet naming requirements. | GA |
| AZR-000275 | Azure.VNG.ConnectionName | Virtual Network Gateway (VNG) connection names should meet naming requirements. | GA |
| AZR-000276 | Azure.vWAN.Name | Virtual WAN (vWAN) names should meet naming requirements. | GA |
| AZR-000277 | Azure.WebPubSub.ManagedIdentity | Configure Web PubSub Services to use managed identities to access Azure resources securely. | GA |
| AZR-000278 | Azure.WebPubSub.SLA | Use SKUs that include an SLA when configuring Web PubSub Services. | GA |
| AZR-000279 | Azure.Deployment.OutputSecretValue | Outputting a sensitive value from deployment may leak secrets into deployment history or logs. | GA |
| AZR-000280 | Azure.AI.PublicAccess | Restrict access of Azure AI services to authorized virtual networks. | GA |
| AZR-000281 | Azure.AI.ManagedIdentity | Configure managed identities to access Azure resources. | GA |
| AZR-000282 | Azure.AI.DisableLocalAuth | Access keys allow depersonalized access to Azure AI using a shared secret. | GA |
| AZR-000283 | Azure.AI.PrivateEndpoints | Use Private Endpoints to access Azure AI services accounts. | GA |
| AZR-000284 | Azure.Deployment.AdminUsername | A sensitive property set from deterministic or hardcoded values is not secure. | GA |
| AZR-000285 | Azure.AKS.UptimeSLA | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | GA |
| AZR-000286 | Azure.CDN.UseFrontDoor | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | GA |
| AZR-000287 | Azure.AKS.EphemeralOSDisk | AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. | GA |
| AZR-000288 | Azure.VMSS.PublicKey | Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. | GA |
| AZR-000289 | Azure.Storage.ContainerSoftDelete | Enable container soft delete on Storage Accounts. | GA |
| AZR-000290 | Azure.Defender.Containers | Enable Microsoft Defender for Containers. | GA |
| AZR-000291 | Azure.AppConfig.DisableLocalAuth | Access keys allow depersonalized access to App Configuration using a shared secret. | GA |
| AZR-000292 | Azure.NSG.AKSRules | AKS Network Security Group (NSG) should not have custom rules. | GA |
| AZR-000293 | Azure.Defender.Servers | Enable Microsoft Defender for Servers. | GA |
| AZR-000294 | Azure.Defender.SQL | Enable Microsoft Defender for SQL servers. | GA |
| AZR-000295 | Azure.Defender.AppServices | Enable Microsoft Defender for App Service. | GA |
| AZR-000296 | Azure.Defender.Storage | Enable Microsoft Defender for Storage. | GA |
| AZR-000297 | Azure.Defender.SQLOnVM | Enable Microsoft Defender for SQL servers on machines. | GA |
| AZR-000298 | Azure.Storage.FileShareSoftDelete | Enable soft delete on Storage Accounts file shares. | GA |
| AZR-000299 | Azure.Redis.FirewallRuleCount | Determine if there is an excessive number of firewall rules for the Redis cache. | GA |
| AZR-000300 | Azure.Redis.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses for the Redis cache. | GA |
| AZR-000301 | Azure.RedisEnterprise.MinTLS | Redis Cache should reject TLS versions older than 1.2. | GA |
| AZR-000302 | Azure.AppGwWAF.PreventionMode | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA |
| AZR-000303 | Azure.AppGwWAF.Exclusions | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA |
| AZR-000304 | Azure.AppGwWAF.RuleGroups | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA |
| AZR-000305 | Azure.FrontDoorWAF.Enabled | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | GA |
| AZR-000306 | Azure.FrontDoorWAF.PreventionMode | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA |
| AZR-000307 | Azure.FrontDoorWAF.Exclusions | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | GA |
| AZR-000308 | Azure.FrontDoorWAF.RuleGroups | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA |
| AZR-000309 | Azure.AppGwWAF.Enabled | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | GA |
| AZR-000310 | Azure.ACR.SoftDelete | Azure Container Registries should have soft delete policy enabled. | Preview |
| AZR-000311 | Azure.AppConfig.AuditLogs | Ensure app configuration store audit diagnostic logs are enabled. | GA |
| AZR-000312 | Azure.AppConfig.GeoReplica | Replicate app configuration store across all points of presence for an application. | GA |
| AZR-000313 | Azure.AppConfig.PurgeProtect | Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. | GA |
| AZR-000314 | Azure.VNET.BastionSubnet | VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. | GA |
| AZR-000315 | Azure.ServiceBus.MinTLS | Service Bus namespaces should reject TLS versions older than 1.2. | GA |
| AZR-000316 | Azure.Deployment.SecureValue | A secret property set from a non-secure value may leak the secret into deployment history or logs. | GA |
| AZR-000317 | Azure.VM.MigrateAMA | Use Azure Monitor Agent as replacement for Log Analytics Agent. | GA |
| AZR-000318 | Azure.VMSS.MigrateAMA | Use Azure Monitor Agent as replacement for Log Analytics Agent. | GA |
| AZR-000319 | Azure.ASE.MigrateV3 | Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. | GA |
| AZR-000320 | Azure.FrontDoor.UseCaching | Use caching to reduce retrieving contents from origins. | GA |
| AZR-000321 | Azure.APIM.MinAPIVersion | API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. | GA |
| AZR-000322 | Azure.VNET.FirewallSubnet | Use Azure Firewall to filter network traffic to and from Azure resources. | GA |
| AZR-000323 | Azure.MySQL.GeoRedundantBackup | Azure Database for MySQL should store backups in a geo-redundant storage. | GA |
| AZR-000324 | Azure.VM.SQLServerDisk | Use Premium SSD disks or greater for data and log files for production SQL Server workloads. | GA |
| AZR-000325 | Azure.MySQL.UseFlexible | Use Azure Database for MySQL Flexible Server deployment model. | GA |
| AZR-000326 | Azure.PostgreSQL.GeoRedundantBackup | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | GA |
| AZR-000327 | Azure.PostgreSQL.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. | GA |
| AZR-000328 | Azure.MySQL.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for MySQL. | GA |
| AZR-000329 | Azure.MariaDB.GeoRedundantBackup | Azure Database for MariaDB should store backups in a geo-redundant storage. | GA |
| AZR-000330 | Azure.MariaDB.DefenderCloud | Enable Microsoft Defender for Cloud for Azure Database for MariaDB. | GA |
| AZR-000331 | Azure.Deployment.OuterSecret | Outer evaluation deployments may leak secrets exposed as secure parameters into logs and nested deployments. | GA |
| AZR-000332 | Azure.VM.ScriptExtensions | Custom Script Extensions scripts that reference secret values must use the protectedSettings. | GA |
| AZR-000333 | Azure.VMSS.ScriptExtensions | Custom Script Extensions scripts that reference secret values must use the protectedSettings. | GA |
| AZR-000334 | Azure.MariaDB.UseSSL | Azure Database for MariaDB servers should only accept encrypted connections. | GA |
| AZR-000335 | Azure.MariaDB.MinTLS | Azure Database for MariaDB servers should reject TLS versions older than 1.2. | GA |
| AZR-000336 | Azure.MariaDB.ServerName | Azure Database for MariaDB servers should meet naming requirements. | GA |
| AZR-000337 | Azure.MariaDB.DatabaseName | Azure Database for MariaDB databases should meet naming requirements. | GA |
| AZR-000338 | Azure.MariaDB.FirewallRuleName | Azure Database for MariaDB firewall rules should meet naming requirements. | GA |
| AZR-000339 | Azure.MariaDB.VNETRuleName | Azure Database for MariaDB VNET rules should meet naming requirements. | GA |
| AZR-000340 | Azure.APIM.MultiRegion | Enhance service availability and resilience by deploying API Management instances across multiple regions. | GA |
| AZR-000341 | Azure.APIM.MultiRegionGateway | API Management instances should have multi-region deployment gateways enabled. | GA |
| AZR-000342 | Azure.MariaDB.AllowAzureAccess | Determine if access from Azure services is required. | GA |
| AZR-000343 | Azure.MariaDB.FirewallRuleCount | Determine if there is an excessive number of firewall rules. | GA |
| AZR-000344 | Azure.MariaDB.FirewallIPRange | Determine if there is an excessive number of permitted IP addresses. | GA |
| AZR-000345 | Azure.VM.AMA | Use Azure Monitor Agent for collecting monitoring data from VMs. | GA |
| AZR-000346 | Azure.VMSS.AMA | Use Azure Monitor Agent for collecting monitoring data from VM scale sets. | GA |
| AZR-000347 | Azure.Redis.Version | Azure Cache for Redis should use the latest supported version of Redis. | GA |
| AZR-000348 | Azure.AppGw.Name | Application Gateways should meet naming requirements. | GA |
| AZR-000349 | Azure.Bastion.Name | Bastion hosts should meet naming requirements. | GA |
| AZR-000350 | Azure.RSV.Name | Recovery Services vaults should meet naming requirements. | GA |
| AZR-000351 | Azure.VM.ShouldNotBeStopped | Azure VMs should be running or in a deallocated state. | GA |
| AZR-000352 | Azure.Defender.KeyVault | Enable Microsoft Defender for Key Vault. | GA |
| AZR-000353 | Azure.Defender.Dns | Enable Microsoft Defender for DNS. | GA |
| AZR-000354 | Azure.Defender.Arm | Enable Microsoft Defender for Azure Resource Manager (ARM). | GA |
| AZR-000355 | Azure.KeyVault.Firewall | Key Vault should only accept explicitly allowed traffic. | GA |
| AZR-000356 | Azure.EventHub.MinTLS | Event Hub namespaces should reject TLS versions older than 1.2. | GA |
| AZR-000357 | Azure.IoTHub.MinTLS | IoT Hubs should reject TLS versions older than 1.2. | GA |
| AZR-000358 | Azure.ServiceBus.AuditLogs | Ensure namespaces audit diagnostic logs are enabled. | GA |
| AZR-000359 | Azure.Deployment.Name | Nested deployments should meet naming requirements of deployments. | GA |
| AZR-000360 | Azure.ContainerApp.Name | Container Apps should meet naming requirements. | GA |
| AZR-000361 | Azure.ContainerApp.ManagedIdentity | Ensure managed identity is used for authentication. | GA |
| AZR-000362 | Azure.ContainerApp.ExternalIngress | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | GA |
| AZR-000363 | Azure.ContainerApp.PublicAccess | Ensure public network access for Container Apps environment is disabled. | GA |
| AZR-000364 | Azure.ContainerApp.Storage | Use of Azure Files volume mounts to persistent storage container data. | GA |
| AZR-000365 | Azure.APIM.CORSPolicy | Avoid using wildcard for any configuration option in CORS policies. | GA |
| AZR-000366 | Azure.SQLMI.AADOnly | Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. | GA |
| AZR-000367 | Azure.SQLMI.ManagedIdentity | Ensure managed identity is used to allow support for Azure AD authentication. | GA |
| AZR-000368 | Azure.SQLMI.AAD | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | GA |
| AZR-000369 | Azure.SQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure SQL Database. | GA |
| AZR-000370 | Azure.AKS.DefenderProfile | Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. | GA |
| AZR-000371 | Azure.APIM.PolicyBase | Base element for any policy element in a section should be configured. | GA |
| AZR-000372 | Azure.Defender.Cspm | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | GA |
| AZR-000373 | Azure.Arc.Kubernetes.Defender | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Preview |
| AZR-000374 | Azure.Arc.Server.MaintenanceConfig | Use a maintenance configuration for Arc-enabled servers. | Preview |
| AZR-000375 | Azure.VM.MaintenanceConfig | Use a maintenance configuration for virtual machines. | GA |
| AZR-000376 | Azure.AppGw.MigrateV2 | Use a Application Gateway v2 SKU. | GA |
| AZR-000377 | Azure.Defender.Api | Enable Microsoft Defender for APIs. | GA |
| AZR-000378 | Azure.ContainerApp.DisableAffinity | Disable session affinity to prevent unbalanced distribution. | GA |
| AZR-000379 | Azure.Defender.CosmosDb | Enable Microsoft Defender for Azure Cosmos DB. | GA |
| AZR-000380 | Azure.ContainerApp.RestrictIngress | IP ingress restrictions mode should be set to allow action for all rules defined. | GA |
| AZR-000381 | Azure.Defender.OssRdb | Enable Microsoft Defender for open-source relational databases. | GA |
| AZR-000382 | Azure.Cosmos.DefenderCloud | Enable Microsoft Defender for Azure Cosmos DB. | GA |
| AZR-000383 | Azure.Defender.Storage.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | GA |
| AZR-000384 | Azure.Storage.Defender.MalwareScan | Enable Malware Scanning in Microsoft Defender for Storage. | GA |
| AZR-000385 | Azure.Defender.Storage.DataScan | Enable sensitive data threat detection in Microsoft Defender for Storage. | Preview |
| AZR-000386 | Azure.Storage.DefenderCloud | Enable Microsoft Defender for Storage for storage accounts. | GA |
| AZR-000387 | Azure.APIM.DefenderCloud | APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. | GA |
| AZR-000388 | Azure.KeyVault.RBAC | Key Vaults should use Azure RBAC as the authorization system for the data plane. | GA |
| AZR-000389 | Azure.PostgreSQL.AAD | Use Entra ID authentication with Azure Database for PostgreSQL databases. | GA |
| AZR-000390 | Azure.PostgreSQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases. | GA |
| AZR-000391 | Azure.Storage.Defender.DataScan | Enable sensitive data threat detection in Microsoft Defender for Storage. | Preview |
| AZR-000392 | Azure.MySQL.AAD | Use Entra ID authentication with Azure Database for MySQL databases. | GA |
| AZR-000393 | Azure.Databricks.SecureConnectivity | Use Databricks workspaces configured for secure cluster connectivity. | GA |
| AZR-000394 | Azure.MySQL.AADOnly | Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases. | GA |
| AZR-000395 | Azure.PublicIP.MigrateStandard | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | GA |
| AZR-000396 | Azure.FrontDoor.ManagedIdentity | Ensure Front Door uses a managed identity to authorize access to Azure resources. | GA |
| AZR-000397 | Azure.RSV.Immutable | Ensure immutability is configured to protect backup data. | GA |
| AZR-000398 | Azure.BV.Immutable | Ensure immutability is configured to protect backup data. | GA |
| AZR-000399 | Azure.Firewall.PolicyMode | Deny high confidence malicious IP addresses, domains and URLs. | GA |
| AZR-000400 | Azure.ContainerApp.APIVersion | Migrate from retired API version to a supported version. | GA |
| AZR-000401 | Azure.ACR.AnonymousAccess | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Preview |
| AZR-000402 | Azure.ACR.Firewall | Container Registry without restrictions can be accessed from any network location including the Internet. | GA |
| AZR-000403 | Azure.ML.ComputeIdleShutdown | Configure an idle shutdown timeout for Machine Learning compute instances. | GA |
| AZR-000404 | Azure.ML.DisableLocalAuth | Azure Machine Learning compute resources should have local authentication methods disabled. | GA |
| AZR-000405 | Azure.ML.ComputeVnet | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | GA |
| AZR-000406 | Azure.ML.PublicAccess | Disable public network access from a Azure Machine Learning workspace. | GA |
| AZR-000407 | Azure.ML.UserManagedIdentity | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | GA |
| AZR-000408 | Azure.Deployment.SecureParameter | Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs. | GA |
| AZR-000409 | Azure.Databricks.SKU | Ensure Databricks workspaces are non-trial SKUs for production workloads. | GA |
| AZR-000410 | Azure.Databricks.PublicAccess | Azure Databricks workspaces should disable public network access. | GA |
| AZR-000411 | Azure.DevBox.ProjectLimit | Limit the number of Dev Boxes a single user can create for a project. | GA |
| AZR-000412 | Azure.AKS.MinUserPoolNodes | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | GA |
| AZR-000413 | Azure.ContainerApp.MinReplicas | Use multiple replicas to remove a single point of failure. | GA |
| AZR-000414 | Azure.ContainerApp.AvailabilityZone | Use Container Apps environments that are zone redundant to improve reliability. | GA |
| AZR-000415 | Azure.Cosmos.MinTLS | Cosmos DB accounts should reject TLS versions older than 1.2. | GA |
| AZR-000416 | Azure.EntraDS.NTLM | Disable NTLM v1 for Microsoft Entra Domain Services. | GA |
| AZR-000417 | Azure.EntraDS.TLS | Disable TLS v1 for Microsoft Entra Domain Services. | GA |
| AZR-000418 | Azure.EntraDS.RC4 | Disable RC4 encryption for Microsoft Entra Domain Services. | GA |
| AZR-000419 | Azure.Cosmos.SLA | Use a paid tier to qualify for a Service Level Agreement (SLA). | GA |
| AZR-000420 | Azure.Cosmos.DisableLocalAuth | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | GA |
| AZR-000421 | Azure.Cosmos.PublicAccess | Azure Cosmos DB should have public network access disabled. | GA |
| AZR-000422 | Azure.EventHub.Firewall | Access to the namespace endpoints should be restricted to only allowed sources. | GA |
| AZR-000423 | Azure.AppGw.MigrateWAFPolicy | Migrate to Application Gateway WAF policy. | GA |
| AZR-000424 | Azure.Grafana.Version | Grafana workspaces should be on Grafana version 10. | GA |
| AZR-000425 | Azure.LogAnalytics.Replication | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Preview |
| AZR-000426 | Azure.VMSS.AutoInstanceRepairs | Automatic instance repairs are enabled. | Preview |
| AZR-000427 | Azure.Redis.EntraID | Use Entra ID authentication with cache instances. | GA |
| AZR-000428 | Azure.AppService.NodeJsVersion | Configure applications to use supported Node.js runtime versions. | GA |
| AZR-000429 | Azure.Firewall.AvailabilityZone | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | GA |
| AZR-000430 | Azure.VNG.MaintenanceConfig | Use a customer-controlled maintenance configuration for virtual network gateways. | Preview |
| AZR-000431 | Azure.MySQL.MaintenanceWindow | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | GA |
| AZR-000432 | Azure.MySQL.ZoneRedundantHA | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | GA |
| AZR-000433 | Azure.PostgreSQL.MaintenanceWindow | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | GA |
| AZR-000434 | Azure.PostgreSQL.ZoneRedundantHA | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | GA |
| AZR-000435 | Azure.AKS.NodeAutoUpgrade | Deploy AKS Clusters with Node Auto-Upgrade enabled | GA |
| AZR-000436 | Azure.VMSS.AvailabilityZone | Deploy virtual machine scale set instances using availability zones in supported regions to ensure high availability and resilience. | GA |
| AZR-000437 | Azure.AVD.ScheduleAgentUpdate | Define a windows for agent updates to minimize disruptions to users. | GA |
| AZR-000438 | Azure.VMSS.ZoneBalance | Deploy virtual machine scale set instances using the best-effort zone balance in supported regions. | GA |
| AZR-000439 | Azure.Cosmos.ContinuousBackup | Enable continuous backup on Cosmos DB accounts. | GA |
| AZR-000440 | Azure.SQL.MaintenanceWindow | Configure a customer-controlled maintenance window for Azure SQL databases. | GA |
| AZR-000441 | Azure.SQLMI.MaintenanceWindow | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | GA |
| AZR-000442 | Azure.AppService.AvailabilityZone | Deploy app service plan instances using availability zones in supported regions to ensure high availability and resilience. | GA |
| AZR-000443 | Azure.ASE.AvailabilityZone | Deploy app service environments using availability zones in supported regions to ensure high availability and resilience. | GA |
| AZR-000444 | Azure.ServiceBus.GeoReplica | Enhance resilience to regional outages by replicating namespaces. | Preview |
| AZR-000445 | Azure.AKS.AuditAdmin | Use kube-audit-admin instead of kube-audit to capture administrative actions in AKS clusters. | GA |
| AZR-000446 | Azure.AKS.MaintenanceWindow | Configure customer-controlled maintenance windows for AKS clusters. | GA |
| AZR-000447 | Azure.VNET.PrivateSubnet | Disable default outbound access for virtual machines. | Preview |
| AZR-000448 | Azure.VNET.FirewallSubnetNAT | Zonal-deployed Azure Firewalls should consider using an Azure NAT Gateway for outbound access. | GA |
| AZR-000449 | Azure.VM.PublicIPAttached | Avoid attaching public IPs directly to virtual machines. | GA |
| AZR-000450 | Azure.VMSS.PublicIPAttached | Avoid attaching public IPs directly to virtual machine scale set instances. | GA |
| AZR-000451 | Azure.VM.ASDistributeTraffic | Ensure high availability by distributing traffic among members in an availability set. | GA |
| AZR-000452 | Azure.VM.MultiTenantHosting | Deploy Windows 10 and 11 virtual machines in Azure using Multi-tenant Hosting Rights to leverage your existing Windows licenses. | GA |