Skip to content

Reference#

The following rules and features are included in PSRule for Azure.

Info

The rule release indicates if the Azure feature is generally available (GA) or available under preview. Features provided under previews may have additional limits, availability restrictions, or terms. By default, PSRule for Azure will not provide recommendations that relate to preview features. To include rules for preview features see working with baselines.

Rules#

The following rules are included in PSRule for Azure.

Reference Name Synopsis Release
AZR-000001 Azure.ACR.Usage Regularly remove deprecated and unneeded images to reduce storage usage. GA
AZR-000002 Azure.ACR.ContainerScan Enable vulnerability scanning for container images. GA
AZR-000003 Azure.ACR.ImageHealth Remove container images with known vulnerabilities. GA
AZR-000004 Azure.ACR.GeoReplica Use geo-replicated container registries to compliment a multi-region container deployments. GA
AZR-000005 Azure.ACR.AdminUser Use Entra ID identities instead of using the registry admin user. GA
AZR-000006 Azure.ACR.MinSku ACR should use the Premium or Standard SKU for production deployments. GA
AZR-000007 Azure.ACR.Name Container registry names should meet naming requirements. GA
AZR-000008 Azure.ACR.Quarantine Enable container image quarantine, scan, and mark images as verified. Preview
AZR-000009 Azure.ACR.ContentTrust Use container images signed by a trusted image publisher. GA
AZR-000010 Azure.ACR.Retention Use a retention policy to cleanup untagged manifests. Preview
AZR-000011 Azure.ADX.Usage Regularly remove unused resources to reduce costs. GA
AZR-000012 Azure.ADX.ManagedIdentity Configure Data Explorer clusters to use managed identities to access Azure resources securely. GA
AZR-000013 Azure.ADX.DiskEncryption Use disk encryption for Azure Data Explorer (ADX) clusters. GA
AZR-000014 Azure.ADX.SLA Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. GA
AZR-000015 Azure.AKS.Version AKS control plane and nodes pools should use a current stable release. GA
AZR-000016 Azure.AKS.PoolVersion AKS node pools should match Kubernetes control plane version. GA
AZR-000017 Azure.AKS.PoolScaleSet Deploy AKS clusters with nodes pools based on VM scale sets. GA
AZR-000018 Azure.AKS.NodeMinPods Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. GA
AZR-000019 Azure.AKS.AutoScaling Use autoscaling to scale clusters based on workload requirements. GA
AZR-000020 Azure.AKS.CNISubnetSize AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. GA
AZR-000021 Azure.AKS.AvailabilityZone AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. GA
AZR-000022 Azure.AKS.AuditLogs AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. GA
AZR-000023 Azure.AKS.PlatformLogs AKS clusters should collect platform diagnostic logs to monitor the state of workloads. GA
AZR-000024 Azure.AKS.MinNodeCount AKS clusters should have minimum number of system nodes for failover and updates. GA
AZR-000025 Azure.AKS.ManagedIdentity Configure AKS clusters to use managed identities for managing cluster infrastructure. GA
AZR-000026 Azure.AKS.StandardLB Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. GA
AZR-000027 Azure.AKS.NetworkPolicy Deploy AKS clusters with Network Policies enabled. GA
AZR-000028 Azure.AKS.AzurePolicyAddOn Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes. GA
AZR-000029 Azure.AKS.ManagedAAD Use AKS-managed Azure AD to simplify authorization and improve security. GA
AZR-000030 Azure.AKS.AuthorizedIPs Restrict access to API server endpoints to authorized IP addresses. GA
AZR-000031 Azure.AKS.LocalAccounts Enforce named user accounts with RBAC assigned permissions. GA
AZR-000032 Azure.AKS.AzureRBAC Use Azure RBAC for Kubernetes Authorization with AKS clusters. GA
AZR-000033 Azure.AKS.SecretStore Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. GA
AZR-000034 Azure.AKS.SecretStoreRotation Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. GA
AZR-000035 Azure.AKS.HttpAppRouting Disable HTTP application routing add-on in AKS clusters. GA
AZR-000036 Azure.AKS.AutoUpgrade Configure AKS to automatically upgrade to newer supported AKS versions as they are made available. GA
AZR-000038 Azure.AKS.UseRBAC Deploy AKS cluster with role-based access control (RBAC) enabled. GA
AZR-000039 Azure.AKS.Name Azure Kubernetes Service (AKS) cluster names should meet naming requirements. GA
AZR-000040 Azure.AKS.DNSPrefix Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. GA
AZR-000041 Azure.AKS.ContainerInsights Enable Container insights to monitor AKS cluster workloads. GA
AZR-000042 Azure.APIM.HTTPEndpoint Enforce HTTPS for communication to API clients. GA
AZR-000043 Azure.APIM.APIDescriptors API Management APIs should have a display name and description. GA
AZR-000044 Azure.APIM.HTTPBackend Use HTTPS for communication to backend services. GA
AZR-000045 Azure.APIM.EncryptValues Encrypt all API Management named values with Key Vault secrets. GA
AZR-000046 Azure.APIM.ProductSubscription Configure products to require a subscription. GA
AZR-000047 Azure.APIM.ProductApproval Configure products to require approval. GA
AZR-000048 Azure.APIM.SampleProducts Remove starter and unlimited sample products. GA
AZR-000049 Azure.APIM.ProductDescriptors API Management products should have a display name and description. GA
AZR-000050 Azure.APIM.ProductTerms Set legal terms for each product registered in API Management. GA
AZR-000051 Azure.APIM.CertificateExpiry Renew certificates used for custom domain bindings. GA
AZR-000052 Azure.APIM.AvailabilityZone API management services deployed with Premium SKU should use availability zones in supported regions for high availability. GA
AZR-000053 Azure.APIM.ManagedIdentity Configure managed identities to access Azure resources. GA
AZR-000054 Azure.APIM.Protocols API Management should only accept a minimum of TLS 1.2 for client and backend communication. GA
AZR-000055 Azure.APIM.Ciphers API Management should not accept weak or deprecated ciphers for client or backend communication. GA
AZR-000056 Azure.APIM.Name API Management service names should meet naming requirements. GA
AZR-000057 Azure.AppConfig.SKU App Configuration should use a minimum size of Standard. GA
AZR-000058 Azure.AppConfig.Name App Configuration store names should meet naming requirements. GA
AZR-000059 Azure.AppGw.UseHTTPS Application Gateways should only expose frontend HTTP endpoints over HTTPS. GA
AZR-000060 Azure.AppGw.AvailabilityZone Application gateways should use availability zones in supported regions for high availability. GA
AZR-000061 Azure.AppGw.MinInstance Application Gateways should use a minimum of two instances. GA
AZR-000062 Azure.AppGw.MinSku Application Gateway should use a minimum instance size of Medium. GA
AZR-000063 Azure.AppGw.UseWAF Internet accessible Application Gateways should use protect endpoints with WAF. GA
AZR-000064 Azure.AppGw.SSLPolicy Application Gateway should only accept a minimum of TLS 1.2. GA
AZR-000065 Azure.AppGw.Prevention Internet exposed Application Gateways should use prevention mode to protect backend resources. GA
AZR-000066 Azure.AppGw.WAFEnabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA
AZR-000067 Azure.AppGw.OWASP Application Gateway Web Application Firewall (WAF) should use OWASP 3.x rules. GA
AZR-000068 Azure.AppGw.WAFRules Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA
AZR-000069 Azure.AppInsights.Workspace Configure Application Insights resources to store data in workspaces. GA
AZR-000070 Azure.AppInsights.Name Azure Application Insights resources names should meet naming requirements. GA
AZR-000071 Azure.AppService.PlanInstanceCount App Service Plan should use a minimum number of instances for failover. GA
AZR-000072 Azure.AppService.MinPlan Use at least a Standard App Service Plan. GA
AZR-000073 Azure.AppService.MinTLS App Service should reject TLS versions older than 1.2. GA
AZR-000074 Azure.AppService.RemoteDebug Disable remote debugging on App Service apps when not in use. GA
AZR-000075 Azure.AppService.NETVersion Configure applications to use newer .NET versions. GA
AZR-000076 Azure.AppService.PHPVersion Configure applications to use newer PHP runtime versions. GA
AZR-000077 Azure.AppService.AlwaysOn Configure Always On for App Service apps. GA
AZR-000078 Azure.AppService.HTTP2 Use HTTP/2 instead of HTTP/1.x to improve protocol efficiency. GA
AZR-000079 Azure.AppService.WebProbe Configure and enable instance health probes. GA
AZR-000080 Azure.AppService.WebProbePath Configure a dedicated path for health probe requests. GA
AZR-000081 Azure.AppService.WebSecureFtp Web apps should disable insecure FTP and configure SFTP when required. GA
AZR-000082 Azure.AppService.ManagedIdentity Configure managed identities to access Azure resources. GA
AZR-000083 Azure.AppService.ARRAffinity Disable client affinity for stateless services. GA
AZR-000084 Azure.AppService.UseHTTPS Azure App Service apps should only accept encrypted connections. GA
AZR-000085 Azure.ASG.Name Application Security Group (ASG) names should meet naming requirements. GA
AZR-000086 Azure.Automation.EncryptVariables Azure Automation variables should be encrypted. GA
AZR-000087 Azure.Automation.WebHookExpiry Do not create webhooks with an expiry time greater than 1 year (default). GA
AZR-000088 Azure.Automation.AuditLogs Ensure automation account audit diagnostic logs are enabled. GA
AZR-000089 Azure.Automation.PlatformLogs Ensure automation account platform diagnostic logs are enabled. GA
AZR-000090 Azure.Automation.ManagedIdentity Ensure Managed Identity is used for authentication. GA
AZR-000091 Azure.CDN.EndpointName Azure CDN Endpoint names should meet naming requirements. GA
AZR-000092 Azure.CDN.MinTLS Azure CDN endpoints should reject TLS versions older than 1.2. GA
AZR-000093 Azure.CDN.HTTP Enforce HTTPS for client connections. GA
AZR-000094 Azure.ContainerApp.Insecure Ensure insecure inbound traffic is not permitted to the container app. GA
AZR-000095 Azure.Cosmos.DisableMetadataWrite Use Azure AD identities for management place operations in Azure Cosmos DB. GA
AZR-000096 Azure.Cosmos.AccountName Cosmos DB account names should meet naming requirements. GA
AZR-000097 Azure.DataFactory.Version Consider migrating to DataFactory v2. GA
AZR-000098 Azure.EventGrid.TopicPublicAccess Use Private Endpoints to access Event Grid topics and domains. GA
AZR-000099 Azure.EventGrid.ManagedIdentity Use managed identities to deliver Event Grid Topic events. GA
AZR-000100 Azure.EventGrid.DisableLocalAuth Authenticate publishing clients with Azure AD identities. GA
AZR-000101 Azure.EventHub.Usage Regularly remove unused resources to reduce costs. GA
AZR-000102 Azure.EventHub.DisableLocalAuth Authenticate Event Hub publishers and consumers with Entra ID identities. GA
AZR-000103 Azure.Firewall.Name Firewall names should meet naming requirements. GA
AZR-000104 Azure.Firewall.PolicyName Firewall policy names should meet naming requirements. GA
AZR-000105 Azure.Firewall.Mode Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. GA
AZR-000106 Azure.FrontDoor.MinTLS Front Door Classic instances should reject TLS versions older than 1.2. GA
AZR-000107 Azure.FrontDoor.Logs Audit and monitor access through Azure Front Door profiles. GA
AZR-000108 Azure.FrontDoor.Probe Use health probes to check the health of each backend. GA
AZR-000109 Azure.FrontDoor.ProbeMethod Configure health probes to use HEAD requests to reduce performance overhead. GA
AZR-000110 Azure.FrontDoor.ProbePath Configure a dedicated path for health probe requests. GA
AZR-000111 Azure.FrontDoor.UseWAF Enable Web Application Firewall (WAF) policies on each Front Door endpoint. GA
AZR-000112 Azure.FrontDoor.State Enable Azure Front Door Classic instance. GA
AZR-000113 Azure.FrontDoor.Name Front Door names should meet naming requirements. GA
AZR-000114 Azure.FrontDoor.WAF.Mode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA
AZR-000115 Azure.FrontDoor.WAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA
AZR-000116 Azure.FrontDoor.WAF.Name Front Door WAF policy names should meet naming requirements. GA
AZR-000117 Azure.Identity.UserAssignedName Managed Identity names should meet naming requirements. GA
AZR-000118 Azure.KeyVault.AccessPolicy Use the principal of least privilege when assigning access to Key Vault. GA
AZR-000119 Azure.KeyVault.Logs Ensure audit diagnostics logs are enabled to audit Key Vault access. GA
AZR-000120 Azure.KeyVault.Name Key Vault names should meet naming requirements. GA
AZR-000121 Azure.KeyVault.SecretName Key Vault Secret names should meet naming requirements. GA
AZR-000122 Azure.KeyVault.KeyName Key Vault Key names should meet naming requirements. GA
AZR-000123 Azure.KeyVault.AutoRotationPolicy Key Vault keys should have auto-rotation enabled. GA
AZR-000124 Azure.KeyVault.SoftDelete Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. GA
AZR-000125 Azure.KeyVault.PurgeProtect Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. GA
AZR-000126 Azure.LB.Probe Use a specific probe for web protocols. GA
AZR-000127 Azure.LB.AvailabilityZone Load balancers deployed with Standard SKU should be zone-redundant for high availability. GA
AZR-000128 Azure.LB.StandardSKU Load balancers should be deployed with Standard SKU for production workloads. GA
AZR-000129 Azure.LB.Name Load Balancer names should meet naming requirements. GA
AZR-000130 Azure.LogicApp.LimitHTTPTrigger Limit HTTP request trigger access to trusted IP addresses. GA
AZR-000131 Azure.MySQL.UseSSL Enforce encrypted MySQL connections. GA
AZR-000132 Azure.MySQL.MinTLS MySQL DB servers should reject TLS versions older than 1.2. GA
AZR-000133 Azure.MySQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA
AZR-000134 Azure.MySQL.AllowAzureAccess Determine if access from Azure services is required. GA
AZR-000135 Azure.MySQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA
AZR-000136 Azure.MySQL.ServerName Azure MySQL DB server names should meet naming requirements. GA
AZR-000137 Azure.NSG.AnyInboundSource Network security groups (NSGs) should avoid rules that allow "any" as an inbound source. GA
AZR-000138 Azure.NSG.DenyAllInbound Avoid denying all inbound traffic. GA
AZR-000139 Azure.NSG.LateralTraversal Deny outbound management connections from non-management hosts. GA
AZR-000140 Azure.NSG.Associated Network Security Groups (NSGs) should be associated to a subnet or network interface. GA
AZR-000141 Azure.NSG.Name Network Security Group (NSG) names should meet naming requirements. GA
AZR-000142 Azure.Policy.Descriptors Policy and initiative definitions should use a display name, description, and category. GA
AZR-000143 Azure.Policy.AssignmentDescriptors Policy assignments should use a display name and description. GA
AZR-000144 Azure.Policy.AssignmentAssignedBy Policy assignments should use assignedBy metadata. GA
AZR-000145 Azure.Policy.ExemptionDescriptors Policy exemptions should use a display name and description. GA
AZR-000146 Azure.Policy.WaiverExpiry Configure policy waiver exemptions to expire. GA
AZR-000147 Azure.PostgreSQL.UseSSL Enforce encrypted PostgreSQL connections. GA
AZR-000148 Azure.PostgreSQL.MinTLS PostgreSQL DB servers should reject TLS versions older than 1.2. GA
AZR-000149 Azure.PostgreSQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA
AZR-000150 Azure.PostgreSQL.AllowAzureAccess Determine if access from Azure services is required. GA
AZR-000151 Azure.PostgreSQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA
AZR-000152 Azure.PostgreSQL.ServerName Azure PostgreSQL DB server names should meet naming requirements. GA
AZR-000153 Azure.PrivateEndpoint.Name Private Endpoint names should meet naming requirements. GA
AZR-000154 Azure.PublicIP.IsAttached Public IP addresses should be attached or cleaned up if not in use. GA
AZR-000155 Azure.PublicIP.Name Public IP names should meet naming requirements. GA
AZR-000156 Azure.PublicIP.DNSLabel Public IP domain name labels should meet naming requirements. GA
AZR-000157 Azure.PublicIP.AvailabilityZone Public IP addresses deployed with Standard SKU should use availability zones in supported regions for high availability. GA
AZR-000158 Azure.PublicIP.StandardSKU Public IP addresses should be deployed with Standard SKU for production workloads. GA
AZR-000159 Azure.Redis.MinSKU Use Azure Cache for Redis instances of at least Standard C1. GA
AZR-000160 Azure.Redis.MaxMemoryReserved Configure maxmemory-reserved to reserve memory for non-cache operations. GA
AZR-000161 Azure.Redis.AvailabilityZone Premium Redis cache should be deployed with availability zones for high availability. GA
AZR-000162 Azure.RedisEnterprise.Zones Enterprise Redis cache should be zone-redundant for high availability. GA
AZR-000163 Azure.Redis.NonSslPort Azure Cache for Redis should only accept secure connections. GA
AZR-000164 Azure.Redis.MinTLS Redis Cache should reject TLS versions older than 1.2. GA
AZR-000165 Azure.Redis.PublicNetworkAccess Redis cache should disable public network access. GA
AZR-000166 Azure.Resource.UseTags Azure resources should be tagged using a standard convention. GA
AZR-000167 Azure.Resource.AllowedRegions Resources should be deployed to allowed regions. GA
AZR-000168 Azure.ResourceGroup.Name Resource Group names should meet naming requirements. GA
AZR-000169 Azure.Route.Name Route table names should meet naming requirements. GA
AZR-000170 Azure.RSV.StorageType Recovery Services Vaults (RSV) not using geo-replicated storage (GRS) may be at risk. GA
AZR-000171 Azure.RSV.ReplicationAlert Recovery Services Vaults (RSV) without replication alerts configured may be at risk. GA
AZR-000172 Azure.Search.SKU Use the basic and standard tiers for entry level workloads. GA
AZR-000173 Azure.Search.QuerySLA Use a minimum of 2 replicas to receive an SLA for index queries. GA
AZR-000174 Azure.Search.IndexSLA Use a minimum of 3 replicas to receive an SLA for query and index updates. GA
AZR-000175 Azure.Search.ManagedIdentity Configure managed identities to access Azure resources. GA
AZR-000176 Azure.Search.Name AI Search service names should meet naming requirements. GA
AZR-000177 Azure.ServiceBus.Usage Regularly remove unused resources to reduce costs. GA
AZR-000178 Azure.ServiceBus.DisableLocalAuth Authenticate Service Bus publishers and consumers with Entra ID identities. GA
AZR-000179 Azure.ServiceFabric.AAD Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. GA
AZR-000180 Azure.SignalR.Name SignalR service instance names should meet naming requirements. GA
AZR-000181 Azure.SignalR.ManagedIdentity Configure SignalR Services to use managed identities to access Azure resources securely. GA
AZR-000182 Azure.SignalR.SLA Use SKUs that include an SLA when configuring SignalR Services. GA
AZR-000183 Azure.SQL.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA
AZR-000184 Azure.SQL.AllowAzureAccess Determine if access from Azure services is required. GA
AZR-000185 Azure.SQL.FirewallIPRange Determine if there is an excessive number of permitted IP addresses set in the allowed IP list (CIDR range). GA
AZR-000186 Azure.SQL.DefenderCloud Enable Microsoft Defender for Azure SQL logical server. GA
AZR-000187 Azure.SQL.Auditing Enable auditing for Azure SQL logical server. GA
AZR-000188 Azure.SQL.AAD Use Entra ID authentication with Azure SQL databases. GA
AZR-000189 Azure.SQL.MinTLS Azure SQL Database servers should reject TLS versions older than 1.2. GA
AZR-000190 Azure.SQL.ServerName Azure SQL logical server names should meet naming requirements. GA
AZR-000191 Azure.SQL.TDE Use Transparent Data Encryption (TDE) with Azure SQL Database. GA
AZR-000192 Azure.SQL.DBName Azure SQL Database names should meet naming requirements. GA
AZR-000193 Azure.SQL.FGName Azure SQL failover group names should meet naming requirements. GA
AZR-000194 Azure.SQLMI.Name SQL Managed Instance names should meet naming requirements. GA
AZR-000195 Azure.Storage.UseReplication Storage Accounts not using geo-replicated storage (GRS) may be at risk. GA
AZR-000196 Azure.Storage.SecureTransfer Storage accounts should only accept encrypted connections. GA
AZR-000197 Azure.Storage.SoftDelete Enable blob soft delete on Storage Accounts. GA
AZR-000198 Azure.Storage.BlobPublicAccess Storage Accounts should only accept authorized requests. GA
AZR-000199 Azure.Storage.BlobAccessType Use containers configured with a private access type that requires authorization. GA
AZR-000200 Azure.Storage.MinTLS Storage Accounts should reject TLS versions older than 1.2. GA
AZR-000201 Azure.Storage.Name Storage Account names should meet naming requirements. GA
AZR-000202 Azure.Storage.Firewall Storage Accounts should only accept explicitly allowed traffic. GA
AZR-000203 Azure.RBAC.UseGroups Use groups for assigning permissions instead of individual user accounts. GA
AZR-000204 Azure.RBAC.LimitOwner Limit the number of subscription Owners. GA
AZR-000205 Azure.RBAC.LimitMGDelegation Limit Role-Base Access Control (RBAC) inheritance from Management Groups. GA
AZR-000206 Azure.RBAC.CoAdministrator Delegate access to manage Azure resources using role-based access control (RBAC). GA
AZR-000207 Azure.RBAC.UseRGDelegation Use RBAC assignments on resource groups instead of individual resources. GA
AZR-000208 Azure.RBAC.PIM Use just-in-time (JiT) activation of roles instead of persistent role assignment. GA
AZR-000209 Azure.DefenderCloud.Contact Microsoft Defender for Cloud email and phone contact details should be set. GA
AZR-000210 Azure.DefenderCloud.Provisioning Enable auto-provisioning on to improve Microsoft Defender for Cloud insights. GA
AZR-000211 Azure.Monitor.ServiceHealth Configure Service Health alerts to notify administrators. GA
AZR-000212 Azure.Template.TemplateFile Use ARM template files that are valid. GA
AZR-000213 Azure.Template.TemplateSchema Use a more recent version of the Azure template schema. GA
AZR-000214 Azure.Template.TemplateScheme Use an Azure template file schema with the https scheme. GA
AZR-000215 Azure.Template.ParameterMetadata Set metadata descriptions in Azure Resource Manager (ARM) template for each parameter. GA
AZR-000216 Azure.Template.Resources Each Azure Resource Manager (ARM) template file should deploy at least one resource. GA
AZR-000217 Azure.Template.UseParameters Each Azure Resource Manager (ARM) template parameter should be used or removed from template files. GA
AZR-000218 Azure.Template.DefineParameters Each Azure Resource Manager (ARM) template file should contain a minimal number of parameters. GA
AZR-000219 Azure.Template.UseVariables Each Azure Resource Manager (ARM) template variable should be used or removed from template files. GA
AZR-000220 Azure.Template.LocationDefault Set the default value for the location parameter within an ARM template to resource group location. GA
AZR-000221 Azure.Template.LocationType Location parameters should use a string value. GA
AZR-000222 Azure.Template.ResourceLocation Template resource location should be an expression or global. GA
AZR-000223 Azure.Template.UseLocationParameter Template should reference a location parameter to specify resource location. GA
AZR-000224 Azure.Template.ParameterMinMaxValue Template parameters minValue and maxValue constraints must be valid. GA
AZR-000225 Azure.Template.DebugDeployment Use default deployment detail level for nested deployments. GA
AZR-000226 Azure.Template.ParameterDataTypes Set the parameter default value to a value of the same type. GA
AZR-000227 Azure.Template.ParameterStrongType Set the parameter value to a value that matches the specified strong type. GA
AZR-000228 Azure.Template.ExpressionLength Template expressions should not exceed the maximum length. GA
AZR-000229 Azure.Template.ParameterFile Use ARM template parameter files that are valid. GA
AZR-000230 Azure.Template.ParameterScheme Use an Azure template parameter file schema with the https scheme. GA
AZR-000231 Azure.Template.MetadataLink Configure a metadata link for each parameter file. GA
AZR-000232 Azure.Template.ParameterValue Specify a value for each parameter in template parameter files. GA
AZR-000233 Azure.Template.ValidSecretRef Use a valid secret reference within parameter files. GA
AZR-000234 Azure.Template.UseComments Use comments for each resource in ARM template to communicate purpose. GA
AZR-000235 Azure.Template.UseDescriptions Use descriptions for each resource in generated template(bicep, psarm, AzOps) to communicate purpose. GA
AZR-000236 Azure.TrafficManager.Endpoints Traffic Manager should use at lest two enabled endpoints. GA
AZR-000237 Azure.TrafficManager.Protocol Monitor Traffic Manager web-based endpoints with HTTPS. GA
AZR-000238 Azure.VM.UseManagedDisks Virtual machines (VMs) should use managed disks. GA
AZR-000239 Azure.VM.Standalone Use VM features to increase reliability and improve covered SLA for VM configurations. GA
AZR-000240 Azure.VM.PromoSku Virtual machines (VMs) should not use expired promotional SKU. GA
AZR-000241 Azure.VM.BasicSku Virtual machines (VMs) should not use Basic sizes. GA
AZR-000242 Azure.VM.DiskCaching Check disk caching is configured correctly for the workload. GA
AZR-000243 Azure.VM.UseHybridUseBenefit Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. GA
AZR-000244 Azure.VM.AcceleratedNetworking Use accelerated networking for supported operating systems and VM types. GA
AZR-000245 Azure.VM.PublicKey Linux virtual machines should use public keys. GA
AZR-000246 Azure.VM.Agent Ensure the VM agent is provisioned automatically. GA
AZR-000247 Azure.VM.Updates Ensure automatic updates are enabled at deployment. GA
AZR-000248 Azure.VM.Name Virtual Machine (VM) names should meet naming requirements. GA
AZR-000249 Azure.VM.ComputerName Virtual Machine (VM) computer name should meet naming requirements. GA
AZR-000250 Azure.VM.DiskAttached Managed disks should be attached to virtual machines or removed. GA
AZR-000251 Azure.VM.DiskSizeAlignment Align to the Managed Disk billing increments to improve cost efficiency. GA
AZR-000252 Azure.VM.ADE Use Azure Disk Encryption (ADE). GA
AZR-000253 Azure.VM.DiskName Managed Disk names should meet naming requirements. GA
AZR-000254 Azure.VM.ASAlignment Use availability sets aligned with managed disks fault domains. GA
AZR-000255 Azure.VM.ASMinMembers Availability sets should be deployed with at least two virtual machines (VMs). GA
AZR-000256 Azure.VM.ASName Availability Set names should meet naming requirements. GA
AZR-000257 Azure.NIC.Attached Network interfaces (NICs) that are not used should be removed. GA
AZR-000258 Azure.NIC.UniqueDns Network interfaces (NICs) should inherit DNS from virtual networks. GA
AZR-000259 Azure.NIC.Name Network Interface (NIC) names should meet naming requirements. GA
AZR-000260 Azure.VM.PPGName Proximity Placement Group (PPG) names should meet naming requirements. GA
AZR-000261 Azure.VMSS.Name Virtual Machine Scale Set (VMSS) names should meet naming requirements. GA
AZR-000262 Azure.VMSS.ComputerName Virtual Machine Scale Set (VMSS) computer name should meet naming requirements. GA
AZR-000263 Azure.VNET.UseNSGs Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. GA
AZR-000264 Azure.VNET.SingleDNS Virtual networks (VNETs) should have at least two DNS servers assigned. GA
AZR-000265 Azure.VNET.LocalDNS Virtual networks (VNETs) should use DNS servers deployed within the same Azure region. GA
AZR-000266 Azure.VNET.PeerState VNET peering connections must be connected. GA
AZR-000267 Azure.VNET.SubnetName Subnet names should meet naming requirements. GA
AZR-000268 Azure.VNET.Name Virtual Network (VNET) names should meet naming requirements. GA
AZR-000269 Azure.VNG.VPNLegacySKU Migrate from legacy SKUs to improve reliability and performance of VPN gateways. GA
AZR-000270 Azure.VNG.VPNActiveActive Use VPN gateways configured to operate in an Active-Active configuration to reduce connectivity downtime. GA
AZR-000271 Azure.VNG.ERLegacySKU Migrate from legacy SKUs to improve reliability and performance of ExpressRoute (ER) gateways. GA
AZR-000272 Azure.VNG.VPNAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with VPN gateway type. GA
AZR-000273 Azure.VNG.ERAvailabilityZoneSKU Use availability zone SKU for virtual network gateways deployed with ExpressRoute gateway type. GA
AZR-000274 Azure.VNG.Name Virtual Network Gateway (VNG) names should meet naming requirements. GA
AZR-000275 Azure.VNG.ConnectionName Virtual Network Gateway (VNG) connection names should meet naming requirements. GA
AZR-000276 Azure.vWAN.Name Virtual WAN (vWAN) names should meet naming requirements. GA
AZR-000277 Azure.WebPubSub.ManagedIdentity Configure Web PubSub Services to use managed identities to access Azure resources securely. GA
AZR-000278 Azure.WebPubSub.SLA Use SKUs that include an SLA when configuring Web PubSub Services. GA
AZR-000279 Azure.Deployment.OutputSecretValue Avoid outputting sensitive deployment values. GA
AZR-000280 Azure.AI.PublicAccess Restrict access of Azure AI services to authorized virtual networks. GA
AZR-000281 Azure.AI.ManagedIdentity Configure managed identities to access Azure resources. GA
AZR-000282 Azure.AI.DisableLocalAuth Authenticate requests to Azure AI services with Entra ID identities. GA
AZR-000283 Azure.AI.PrivateEndpoints Use Private Endpoints to access Azure AI services accounts. GA
AZR-000284 Azure.Deployment.AdminUsername Use secure parameters for sensitive resource properties. GA
AZR-000285 Azure.AKS.UptimeSLA AKS clusters should have Uptime SLA enabled for a financially backed SLA. GA
AZR-000286 Azure.CDN.UseFrontDoor Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. GA
AZR-000287 Azure.AKS.EphemeralOSDisk AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. GA
AZR-000288 Azure.VMSS.PublicKey Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. GA
AZR-000289 Azure.Storage.ContainerSoftDelete Enable container soft delete on Storage Accounts. GA
AZR-000290 Azure.Defender.Containers Enable Microsoft Defender for Containers. GA
AZR-000291 Azure.AppConfig.DisableLocalAuth Authenticate App Configuration clients with Entra ID identities. GA
AZR-000292 Azure.NSG.AKSRules AKS Network Security Group (NSG) should not have custom rules. GA
AZR-000293 Azure.Defender.Servers Enable Microsoft Defender for Servers. GA
AZR-000294 Azure.Defender.SQL Enable Microsoft Defender for SQL servers. GA
AZR-000295 Azure.Defender.AppServices Enable Microsoft Defender for App Service. GA
AZR-000296 Azure.Defender.Storage Enable Microsoft Defender for Storage. GA
AZR-000297 Azure.Defender.SQLOnVM Enable Microsoft Defender for SQL servers on machines. GA
AZR-000298 Azure.Storage.FileShareSoftDelete Enable soft delete on Storage Accounts file shares. GA
AZR-000299 Azure.Redis.FirewallRuleCount Determine if there is an excessive number of firewall rules for the Redis cache. GA
AZR-000300 Azure.Redis.FirewallIPRange Determine if there is an excessive number of permitted IP addresses for the Redis cache. GA
AZR-000301 Azure.RedisEnterprise.MinTLS Redis Cache should reject TLS versions older than 1.2. GA
AZR-000302 Azure.AppGwWAF.PreventionMode Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA
AZR-000303 Azure.AppGwWAF.Exclusions Application Gateway Web Application Firewall (WAF) should have all rules enabled. GA
AZR-000304 Azure.AppGwWAF.RuleGroups Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. GA
AZR-000305 Azure.FrontDoorWAF.Enabled Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. GA
AZR-000306 Azure.FrontDoorWAF.PreventionMode Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA
AZR-000307 Azure.FrontDoorWAF.Exclusions Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. GA
AZR-000308 Azure.FrontDoorWAF.RuleGroups Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. GA
AZR-000309 Azure.AppGwWAF.Enabled Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. GA
AZR-000310 Azure.ACR.SoftDelete Azure Container Registries should have soft delete policy enabled. Preview
AZR-000311 Azure.AppConfig.AuditLogs Ensure app configuration store audit diagnostic logs are enabled. GA
AZR-000312 Azure.AppConfig.GeoReplica Replicate app configuration store across all points of presence for an application. GA
AZR-000313 Azure.AppConfig.PurgeProtect Consider purge protection for app configuration store to ensure store cannot be purged in the retention period. GA
AZR-000314 Azure.VNET.BastionSubnet VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. GA
AZR-000315 Azure.ServiceBus.MinTLS Service Bus namespaces should reject TLS versions older than 1.2. GA
AZR-000316 Azure.Deployment.SecureValue Use secure parameters for setting properties of resources that contain sensitive information. GA
AZR-000317 Azure.VM.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA
AZR-000318 Azure.VMSS.MigrateAMA Use Azure Monitor Agent as replacement for Log Analytics Agent. GA
AZR-000319 Azure.ASE.MigrateV3 Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. GA
AZR-000320 Azure.FrontDoor.UseCaching Use caching to reduce retrieving contents from origins. GA
AZR-000321 Azure.APIM.MinAPIVersion API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. GA
AZR-000322 Azure.VNET.FirewallSubnet Use Azure Firewall to filter network traffic to and from Azure resources. GA
AZR-000323 Azure.MySQL.GeoRedundantBackup Azure Database for MySQL should store backups in a geo-redundant storage. GA
AZR-000324 Azure.VM.SQLServerDisk Use Premium SSD disks or greater for data and log files for production SQL Server workloads. GA
AZR-000325 Azure.MySQL.UseFlexible Use Azure Database for MySQL Flexible Server deployment model. GA
AZR-000326 Azure.PostgreSQL.GeoRedundantBackup Azure Database for PostgreSQL should store backups in a geo-redundant storage. GA
AZR-000327 Azure.PostgreSQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for PostgreSQL. GA
AZR-000328 Azure.MySQL.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MySQL. GA
AZR-000329 Azure.MariaDB.GeoRedundantBackup Azure Database for MariaDB should store backups in a geo-redundant storage. GA
AZR-000330 Azure.MariaDB.DefenderCloud Enable Microsoft Defender for Cloud for Azure Database for MariaDB. GA
AZR-000331 Azure.Deployment.OuterSecret Do not use Outer deployments when references SecureString or SecureObject parameters. GA
AZR-000332 Azure.VM.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA
AZR-000333 Azure.VMSS.ScriptExtensions Custom Script Extensions scripts that reference secret values must use the protectedSettings. GA
AZR-000334 Azure.MariaDB.UseSSL Azure Database for MariaDB servers should only accept encrypted connections. GA
AZR-000335 Azure.MariaDB.MinTLS Azure Database for MariaDB servers should reject TLS versions older than 1.2. GA
AZR-000336 Azure.MariaDB.ServerName Azure Database for MariaDB servers should meet naming requirements. GA
AZR-000337 Azure.MariaDB.DatabaseName Azure Database for MariaDB databases should meet naming requirements. GA
AZR-000338 Azure.MariaDB.FirewallRuleName Azure Database for MariaDB firewall rules should meet naming requirements. GA
AZR-000339 Azure.MariaDB.VNETRuleName Azure Database for MariaDB VNET rules should meet naming requirements. GA
AZR-000340 Azure.APIM.MultiRegion API Management instances should use multi-region deployment to improve service availability. GA
AZR-000341 Azure.APIM.MultiRegionGateway API Management instances should have multi-region deployment gateways enabled. GA
AZR-000342 Azure.MariaDB.AllowAzureAccess Determine if access from Azure services is required. GA
AZR-000343 Azure.MariaDB.FirewallRuleCount Determine if there is an excessive number of firewall rules. GA
AZR-000344 Azure.MariaDB.FirewallIPRange Determine if there is an excessive number of permitted IP addresses. GA
AZR-000345 Azure.VM.AMA Use Azure Monitor Agent for collecting monitoring data from VMs. GA
AZR-000346 Azure.VMSS.AMA Use Azure Monitor Agent for collecting monitoring data from VM scale sets. GA
AZR-000347 Azure.Redis.Version Azure Cache for Redis should use the latest supported version of Redis. GA
AZR-000348 Azure.AppGw.Name Application Gateways should meet naming requirements. GA
AZR-000349 Azure.Bastion.Name Bastion hosts should meet naming requirements. GA
AZR-000350 Azure.RSV.Name Recovery Services vaults should meet naming requirements. GA
AZR-000351 Azure.VM.ShouldNotBeStopped Azure VMs should be running or in a deallocated state. GA
AZR-000352 Azure.Defender.KeyVault Enable Microsoft Defender for Key Vault. GA
AZR-000353 Azure.Defender.Dns Enable Microsoft Defender for DNS. GA
AZR-000354 Azure.Defender.Arm Enable Microsoft Defender for Azure Resource Manager (ARM). GA
AZR-000355 Azure.KeyVault.Firewall Key Vault should only accept explicitly allowed traffic. GA
AZR-000356 Azure.EventHub.MinTLS Event Hub namespaces should reject TLS versions older than 1.2. GA
AZR-000357 Azure.IoTHub.MinTLS IoT Hubs should reject TLS versions older than 1.2. GA
AZR-000358 Azure.ServiceBus.AuditLogs Ensure namespaces audit diagnostic logs are enabled. GA
AZR-000359 Azure.Deployment.Name Nested deployments should meet naming requirements of deployments. GA
AZR-000360 Azure.ContainerApp.Name Container Apps should meet naming requirements. GA
AZR-000361 Azure.ContainerApp.ManagedIdentity Ensure managed identity is used for authentication. GA
AZR-000362 Azure.ContainerApp.ExternalIngress Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. GA
AZR-000363 Azure.ContainerApp.PublicAccess Ensure public network access for Container Apps environment is disabled. GA
AZR-000364 Azure.ContainerApp.Storage Use of Azure Files volume mounts to persistent storage container data. GA
AZR-000365 Azure.APIM.CORSPolicy Avoid using wildcard for any configuration option in CORS policies. GA
AZR-000366 Azure.SQLMI.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance. GA
AZR-000367 Azure.SQLMI.ManagedIdentity Ensure managed identity is used to allow support for Azure AD authentication. GA
AZR-000368 Azure.SQLMI.AAD Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. GA
AZR-000369 Azure.SQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure SQL Database. GA
AZR-000370 Azure.AKS.DefenderProfile Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. GA
AZR-000371 Azure.APIM.PolicyBase Base element for any policy element in a section should be configured. GA
AZR-000372 Azure.Defender.Cspm Enable Microsoft Defender Cloud Security Posture Management Standard plan. GA
AZR-000373 Azure.Arc.Kubernetes.Defender Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. Preview
AZR-000374 Azure.Arc.Server.MaintenanceConfig Use a maintenance configuration for Arc-enabled servers. Preview
AZR-000375 Azure.VM.MaintenanceConfig Use a maintenance configuration for virtual machines. Preview
AZR-000376 Azure.AppGw.MigrateV2 Use a Application Gateway v2 SKU. GA
AZR-000377 Azure.Defender.Api Enable Microsoft Defender for APIs. GA
AZR-000378 Azure.ContainerApp.DisableAffinity Disable session affinity to prevent unbalanced distribution. GA
AZR-000379 Azure.Defender.CosmosDb Enable Microsoft Defender for Azure Cosmos DB. GA
AZR-000380 Azure.ContainerApp.RestrictIngress IP ingress restrictions mode should be set to allow action for all rules defined. GA
AZR-000381 Azure.Defender.OssRdb Enable Microsoft Defender for open-source relational databases. GA
AZR-000382 Azure.Cosmos.DefenderCloud Enable Microsoft Defender for Azure Cosmos DB. GA
AZR-000383 Azure.Defender.Storage.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA
AZR-000384 Azure.Storage.Defender.MalwareScan Enable Malware Scanning in Microsoft Defender for Storage. GA
AZR-000385 Azure.Defender.Storage.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview
AZR-000386 Azure.Storage.DefenderCloud Enable Microsoft Defender for Storage for storage accounts. GA
AZR-000387 Azure.APIM.DefenderCloud APIs published in Azure API Management should be onboarded to Microsoft Defender for APIs. GA
AZR-000388 Azure.KeyVault.RBAC Key Vaults should use Azure RBAC as the authorization system for the data plane. GA
AZR-000389 Azure.PostgreSQL.AAD Use Entra ID authentication with Azure Database for PostgreSQL databases. GA
AZR-000390 Azure.PostgreSQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases. GA
AZR-000391 Azure.Storage.Defender.DataScan Enable sensitive data threat detection in Microsoft Defender for Storage. Preview
AZR-000392 Azure.MySQL.AAD Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. GA
AZR-000393 Azure.Databricks.SecureConnectivity Use Databricks workspaces configured for secure cluster connectivity. GA
AZR-000394 Azure.MySQL.AADOnly Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases. GA
AZR-000395 Azure.PublicIP.MigrateStandard Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. GA
AZR-000396 Azure.FrontDoor.ManagedIdentity Ensure Front Door uses a managed identity to authorize access to Azure resources. GA
AZR-000397 Azure.RSV.Immutable Ensure immutability is configured to protect backup data. GA
AZR-000398 Azure.BV.Immutable Ensure immutability is configured to protect backup data. GA
AZR-000399 Azure.Firewall.PolicyMode Deny high confidence malicious IP addresses, domains and URLs. GA
AZR-000400 Azure.ContainerApp.APIVersion Migrate from retired API version to a supported version. GA
AZR-000401 Azure.ACR.AnonymousAccess Disable anonymous pull access. Preview
AZR-000402 Azure.ACR.Firewall Limit network access of container registries to only trusted clients. GA
AZR-000403 Azure.ML.ComputeIdleShutdown Configure an idle shutdown timeout for Machine Learning compute instances. GA
AZR-000404 Azure.ML.DisableLocalAuth Azure Machine Learning compute resources should have local authentication methods disabled. GA
AZR-000405 Azure.ML.ComputeVnet Azure Machine Learning Computes should be hosted in a virtual network (VNet). GA
AZR-000406 Azure.ML.PublicAccess Disable public network access from a Azure Machine Learning workspace. GA
AZR-000407 Azure.ML.UserManagedIdentity ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. GA
AZR-000408 Azure.Deployment.SecureParameter Use secure parameters for any parameter that contains sensitive information. GA
AZR-000409 Azure.Databricks.SKU Ensure Databricks workspaces are non-trial SKUs for production workloads. GA
AZR-000410 Azure.Databricks.PublicAccess Azure Databricks workspaces should disable public network access. GA
AZR-000411 Azure.DevBox.ProjectLimit Limit the number of Dev Boxes a single user can create for a project. GA
AZR-000412 Azure.AKS.MinUserPoolNodes User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. GA