This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Azure Quick Review

Azure Quick Review! — Analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Azure Quick Review (azqr) is a command-line interface (CLI) tool specifically designed to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations. Its primary purpose is to provide users with a detailed overview of their Azure resources, enabling them to easily identify any non-compliant configurations or potential areas for improvement.

1 - Overview

Azure Quick Review — Analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Azure Quick Review (azqr) is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure’s best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.

Azure Quick Review Recommendations

Azure Quick Review (azqr) scans your resources with 2 types of recommendations:

To learn more about the recommendations used by Azure Quick Review (azqr), you can refer to the documentation available here.

Scan Results

The output generated by Azure Quick Review (azqr) is written by default to an Excel file, which contains the following sheets:

  • Recommendations: a list with all recommendations with the number of resources that are impacted. You can use this table as an action plan to improve the compliance of your resources.
  • ImpactedResources: a list with all resources that are impacted. You can use this table to identify resources that have issues that need to be addressed.
  • ResourceTypes: a list of impacted resource types.
  • Inventory: a list of all resources scanned by the tool. Here you’ll find details such as SKU, Tier, Kind or calculated SLA.
  • Advisor: a list of recommendations provided by Azure Advisor.
  • DefenderRecommendations: a list of recommendations provided by Microsoft Defender for Cloud.
  • OutOfScope: a list of resources that were not scanned.
  • Defender: a list of Microsoft Defender for Cloud plans and their tiers.
  • Costs: a list of costs associated with the scanned subscription for the last 3 months.

By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the --mask=false flag when executing the tool.

Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the --csv flag when running the tool.

A Power BI template is also available to help you visualize the results generated by Azure Quick Review. You can create the template running Azure Quick Review with the pbi command and then loading the excel file generated by the tool.

Supported Azure Services

Azure Quick Review (azqr) currently supports the following Azure services:

\AbbreviationResource Type
aaMicrosoft.Automation/automationAccounts
adfMicrosoft.DataFactory/factories
afdMicrosoft.Cdn/profiles
afwMicrosoft.Network/azureFirewalls
agwMicrosoft.Network/applicationGateways
aksMicrosoft.ContainerService/managedClusters
amgMicrosoft.Dashboard/grafana
apimMicrosoft.ApiManagement/service
appcsMicrosoft.AppConfiguration/configurationStores
appiMicrosoft.Insights/components
appiMicrosoft.Insights/activityLogAlerts
asMicrosoft.AnalysisServices/servers
aspMicrosoft.Web/serverFarms
aspMicrosoft.Web/sites
avdSpecialized.Workload/AVD
avsMicrosoft.AVS/privateClouds
avsSpecialized.Workload/AVS
baMicrosoft.Batch/batchAccounts
caMicrosoft.App/containerApps
caeMicrosoft.App/managedenvironments
ciMicrosoft.ContainerInstance/containerGroups
cogMicrosoft.CognitiveServices/accounts
conMicrosoft.Network/connections
cosmosMicrosoft.DocumentDB/databaseAccounts
crMicrosoft.ContainerRegistry/registries
dbwMicrosoft.Databricks/workspaces
decMicrosoft.Kusto/clusters
diskMicrosoft.Compute/disks
ercMicrosoft.Network/expressRouteCircuits
ercMicrosoft.Network/ExpressRoutePorts
evgdMicrosoft.EventGrid/domains
evhMicrosoft.EventHub/namespaces
fdfpMicrosoft.Network/frontdoorWebApplicationFirewallPolicies
galMicrosoft.Compute/galleries
hpcSpecialized.Workload/HPC
iotMicrosoft.Devices/IotHubs
itMicrosoft.VirtualMachineImages/imageTemplates
kvMicrosoft.KeyVault/vaults
lbMicrosoft.Network/loadBalancers
logMicrosoft.OperationalInsights/workspaces
logicMicrosoft.Logic/workflows
mariaMicrosoft.DBforMariaDB/servers
mariaMicrosoft.DBforMariaDB/servers/databases
mysqlMicrosoft.DBforMySQL/servers
mysqlMicrosoft.DBforMySQL/flexibleServers
netappMicrosoft.NetApp/netAppAccounts
ngMicrosoft.Network/natGateways
nsgMicrosoft.Network/networkSecurityGroups
nwMicrosoft.Network/networkWatchers
pdnszMicrosoft.Network/privateDnsZones
pepMicrosoft.Network/privateEndpoints
pipMicrosoft.Network/publicIPAddresses
psqlMicrosoft.DBforPostgreSQL/servers
psqlMicrosoft.DBforPostgreSQL/flexibleServers
redisMicrosoft.Cache/Redis
rsvMicrosoft.RecoveryServices/vaults
rtMicrosoft.Network/routeTables
sapSpecialized.Workload/SAP
sbMicrosoft.ServiceBus/namespaces
sigrMicrosoft.SignalRService/SignalR
sqlMicrosoft.Sql/servers
sqlMicrosoft.Sql/servers/databases
sqlMicrosoft.Sql/servers/elasticPools
stMicrosoft.Storage/storageAccounts
synwMicrosoft.Synapse/workspaces
synwMicrosoft.Synapse workspaces/bigDataPools
synwMicrosoft.Synapse/workspaces/sqlPools
trafMicrosoft.Network/trafficManagerProfiles
vdpoolMicrosoft.DesktopVirtualization/hostPools
vdpoolMicrosoft.DesktopVirtualization/scalingPlans
vdpoolMicrosoft.DesktopVirtualization/workspaces
vgwMicrosoft.Network/virtualNetworkGateways
vmMicrosoft.Compute/virtualMachines
vmssMicrosoft.Compute/virtualMachineScaleSets
vnetMicrosoft.Network/virtualNetworks
vwanMicrosoft.Network/virtualWans
wpsMicrosoft.SignalRService/webPubSub

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct

Trademark Notice

Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.

2 - Usage

Use Azure Quick Review — to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Authentication

Azure Quick Review (azqr) supports the following authentication methods:

  • Service Principal. You’ll need to set the following environment variables:
    • AZURE_CLIENT_ID
    • AZURE_CLIENT_SECRET
    • AZURE_TENANT_ID
  • Azure Managed Identity
  • Azure CLI (Using this type of authentication will make scans run slower)

Authorization

Azure Quick Review (azqr) requires the following permissions:

  • Reader over Subscription or Management Group scope

Running the Scan

To scan all resources in all subscription run:

./azqr scan

To scan all resources in a specific management group run:

./azqr scan --management-group-id <management_group_id>

To scan all resources in a specific subscription run:

./azqr scan -s <subscription_id>

To scan a specific resource group in a specific subscription run:

./azqr scan -s <subscription_id> -g <resource_group_name>

For information on available commands and help run:

./azqr -h

Filtering Recommendations and more

You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:

azqr:
  include:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    resourceTypes:
      - <resource type abbreviation> # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
  exclude:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    services:
      - <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
    recommendations:
      - <recommendation_id> # format: <recommendation_id>

Then run the scan with the --filters flag:

./azqr scan --filters <path_to_yaml_file>

Check the rules to get the recommendation ids.

3 - Install

Learn how to install Azure Quick Review (azqr)

Install on Linux or Azure Cloud Shell

latest_azqr=$(curl -sL https://api.github.com/repos/Azure/azqr/releases/latest | jq -r ".tag_name" | cut -c1-)
wget https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-ubuntu-latest-amd64 -O azqr
chmod +x azqr

Install on Windows

Use winget:

winget install azqr

or download the executable file:

$latest_azqr=$(iwr https://api.github.com/repos/Azure/azqr/releases/latest).content | convertfrom-json | Select-Object -ExpandProperty tag_name
iwr https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-windows-latest-amd64.exe -OutFile azqr.exe

Install on Mac

Use homebrew:

brew install azqr

or download the latest release from here.

4 - Recommendations

Recommendations

Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:

#IdResource TypeCategoryImpactRecommendationLearn
1adf-001Microsoft.DataFactory/factoriesMonitoringAndAlertingLowAzure Data Factory should have diagnostic settings enabledLearn
2adf-002Microsoft.DataFactory/factoriesSecurityHighAzure Data Factory should have private endpoints enabledLearn
3adf-003Microsoft.DataFactory/factoriesHighAvailabilityHighAzure Data Factory SLALearn
4adf-004Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory Name should comply with naming conventionsLearn
5adf-005Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory should have tagsLearn
6afd-001Microsoft.Cdn/profilesMonitoringAndAlertingLowAzure FrontDoor should have diagnostic settings enabledLearn
7afd-003Microsoft.Cdn/profilesHighAvailabilityHighAzure FrontDoor SLALearn
8afd-006Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor Name should comply with naming conventionsLearn
9afd-007Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor should have tagsLearn
101bd2b7e8-400f-e64a-99a2-c572f7b08a62Microsoft.Cdn/profilesSecurityMediumEnable the WAFLearn
1138f3d542-6de6-a44b-86c6-97e3be690281Microsoft.Cdn/profilesHighAvailabilityLowDisable health probes when there is only one origin in an origin groupLearn
12d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1Microsoft.Cdn/profilesSecurityHighUse end-to-end TLSLearn
1324ab9f11-a3e4-3043-a985-22cf94c4933aMicrosoft.Cdn/profilesSecurityHighUse HTTP to HTTPS redirectionLearn
14afw-001Microsoft.Network/azureFirewallsMonitoringAndAlertingLowAzure Firewall should have diagnostic settings enabledLearn
15afw-003Microsoft.Network/azureFirewallsHighAvailabilityHighAzure Firewall SLALearn
16afw-006Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall Name should comply with naming conventionsLearn
17afw-007Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall should have tagsLearn
18c72b7fee-1fa0-5b4b-98e5-54bcae95bb74Microsoft.Network/azureFirewallsHighAvailabilityHighDeploy Azure Firewall across multiple availability zonesLearn
193c8fa7c6-6b78-a24a-a63f-348a7c71acb9Microsoft.Network/azureFirewallsMonitoringAndAlertingHighMonitor Azure Firewall metricsLearn
201b2dbf4a-8a0b-5e4b-8f4e-3f758188910dMicrosoft.Network/azureFirewallsSecurityHighConfigure DDoS Protection on the Azure Firewall VNetLearn
21agw-005Microsoft.Network/applicationGatewaysMonitoringAndAlertingLowApplication Gateway: Monitor and Log the configurations and trafficLearn
22agw-103Microsoft.Network/applicationGatewaysHighAvailabilityHighApplication Gateway SLALearn
23agw-105Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway Name should comply with naming conventionsLearn
24agw-106Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway should have tagsLearn
25c9c00f2a-3888-714b-a72b-b4c9e8fcffb2Microsoft.Network/applicationGatewaysHighAvailabilityHighDeploy Application Gateway in a zone-redundant configurationLearn
2610f02bc6-e2e7-004d-a2c2-f9bf9f16b915Microsoft.Network/applicationGatewaysHighAvailabilityMediumPlan for backend maintenance by using connection drainingLearn
27823b0cff-05c0-2e4e-a1e7-9965e1cfa16fMicrosoft.Network/applicationGatewaysScalabilityMediumEnsure Autoscale feature has been enabledLearn
28233a7008-71e9-e745-923e-1a1c7a0b92f3Microsoft.Network/applicationGatewaysSecurityHighSecure all incoming connections with SSLLearn
297893f0b3-8622-1d47-beed-4b50a19f7895Microsoft.Network/applicationGatewaysScalabilityHighMigrate to Application Gateway v2Learn
308364fd0a-7c0e-e240-9d95-4bf965aec243Microsoft.Network/applicationGatewaysOtherBestPracticesHighEnsure Application Gateway Subnet is using a /24 subnet maskLearn
318d9223c4-730d-ca47-af88-a9a024c37270Microsoft.Network/applicationGatewaysSecurityLowEnable Web Application Firewall policiesLearn
32847a8d88-21c4-bc48-a94e-562206edd767Microsoft.Network/applicationGatewaysMonitoringAndAlertingHighUse Health Probes to detect backend availabilityLearn
33aks-001Microsoft.ContainerService/managedClustersMonitoringAndAlertingLowAKS Cluster should have diagnostic settings enabledLearn
34aks-003Microsoft.ContainerService/managedClustersHighAvailabilityHighAKS Cluster should have an SLALearn
35aks-004Microsoft.ContainerService/managedClustersSecurityHighAKS Cluster should be privateLearn
36aks-006Microsoft.ContainerService/managedClustersGovernanceLowAKS Name should comply with naming conventionsLearn
37aks-007Microsoft.ContainerService/managedClustersSecurityMediumAKS should integrate authentication with AAD (Managed)Learn
38aks-008Microsoft.ContainerService/managedClustersSecurityMediumAKS should be RBAC enabled.Learn
39aks-010Microsoft.ContainerService/managedClustersSecurityMediumAKS should have httpApplicationRouting disabledLearn
40aks-012Microsoft.ContainerService/managedClustersSecurityHighAKS should have outbound type set to user defined routingLearn
41aks-015Microsoft.ContainerService/managedClustersGovernanceLowAKS should have tagsLearn
42aks-016Microsoft.ContainerService/managedClustersScalabilityLowAKS Node Pools should have MaxSurge setLearn
430611251f-e70f-4243-8ddd-cfe894bec2e7Microsoft.ContainerService/managedClustersHighAvailabilityHighUpdate AKS tier to Standard or PremiumLearn
44a7bfcc18-b0d8-4d37-81f3-8131ed8bead5Microsoft.ContainerService/managedClustersScalabilityMediumUse Ephemeral OS disks on AKS clustersLearn
457f7ae535-a5ba-4665-b7e0-c451dbdda01fMicrosoft.ContainerService/managedClustersHighAvailabilityHighConfigure system nodepool countLearn
46e620fa98-7a40-41a0-bfc9-b4407297fb58Microsoft.ContainerService/managedClustersHighAvailabilityHighNodepool subnet size needs to accommodate maximum auto-scale settingsLearn
47ca324d71-54b0-4a3e-b9e4-10e767daa9fcMicrosoft.ContainerService/managedClustersSecurityHighDisable local accountsLearn
48902c82ff-4910-4b61-942d-0d6ef7f39b67Microsoft.ContainerService/managedClustersScalabilityHighEnable the cluster auto-scaler on an existing clusterLearn
49269a9f1a-6675-460a-831e-b05a887a8c4bMicrosoft.ContainerService/managedClustersDisasterRecoveryLowBack up Azure Kubernetes ServiceLearn
505f3cbd68-692a-4121-988c-9770914859a9Microsoft.ContainerService/managedClustersOtherBestPracticesLowEnable GitOps when using DevOps frameworksLearn
5126ebaf1f-c70d-4ebd-8641-4b60a0ce0094Microsoft.ContainerService/managedClustersGovernanceLowEnable and remediate Azure Policies configured for AKSLearn
52f46b0d1d-56ef-4795-b98a-f6ee00cb341aMicrosoft.ContainerService/managedClustersHighAvailabilityHighUse Azure Linux for Linux nodepoolsLearn
534f63619f-5001-439c-bacb-8de891287727Microsoft.ContainerService/managedClustersHighAvailabilityHighDeploy AKS cluster across availability zonesLearn
545ee083cd-6ac3-4a83-8913-9549dd36cf56Microsoft.ContainerService/managedClustersHighAvailabilityHighIsolate system and application podsLearn
55c22db132-399b-4e7c-995d-577a60881be8Microsoft.ContainerService/managedClustersScalabilityMediumConfigure Azure CNI networking for dynamic allocation of IPs or use CNI overlayLearn
56dcaf8128-94bd-4d53-9235-3a0371df6b74Microsoft.ContainerService/managedClustersMonitoringAndAlertingHighEnable AKS MonitoringLearn
57005ccbbd-aeab-46ef-80bd-9bd4479412ecMicrosoft.ContainerService/managedClustersHighAvailabilityHighConfigure user nodepool countLearn
58amg-001Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana name should comply with naming conventionsLearn
59amg-002Microsoft.Dashboard/managedGrafanaHighAvailabilityHighAzure Managed Grafana SLALearn
60amg-003Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana should have tagsLearn
61amg-004Microsoft.Dashboard/managedGrafanaSecurityHighAzure Managed Grafana should disable public network accessLearn
62amg-005Microsoft.Dashboard/managedGrafanaHighAvailabilityHighAzure Managed Grafana should have availability zones enabledLearn
636cd57b65-ef84-4088-9ada-c0d8de74c2f7Microsoft.Dashboard/grafanaHighAvailabilityMediumEnable zone redundancy in Managed GrafanaLearn
64apim-001Microsoft.ApiManagement/serviceMonitoringAndAlertingLowAPIM should have diagnostic settings enabledLearn
65apim-003Microsoft.ApiManagement/serviceHighAvailabilityHighAPIM should have a SLALearn
66apim-004Microsoft.ApiManagement/serviceSecurityHighAPIM should have private endpoints enabledLearn
67apim-006Microsoft.ApiManagement/serviceGovernanceLowAPIM should comply with naming conventionsLearn
68apim-007Microsoft.ApiManagement/serviceGovernanceLowAPIM should have tagsLearn
69apim-008Microsoft.ApiManagement/serviceSecurityMediumAPIM should use Managed IdentitiesLearn
70apim-009Microsoft.ApiManagement/serviceSecurityHighAPIM should only accept a minimum of TLS 1.2Learn
71apim-010Microsoft.ApiManagement/serviceSecurityHighAPIM should should not accept weak or deprecated ciphers.Learn
72apim-011Microsoft.ApiManagement/serviceSecurityHighAPIM: Renew expiring certificatesLearn
73baf3bfc0-32a2-4c0c-926d-c9bf0b49808eMicrosoft.ApiManagement/serviceHighAvailabilityHighMigrate API Management services to Premium SKU to support Availability ZonesLearn
74740f2c1c-8857-4648-80eb-47d2c56d5a50Microsoft.ApiManagement/serviceHighAvailabilityHighEnable Availability Zones on Premium API Management instancesLearn
75e35cf148-8eee-49d1-a1c9-956160f99e0bMicrosoft.ApiManagement/serviceHighAvailabilityHighAzure API Management platform version should be stv2Learn
76appcs-001Microsoft.AppConfiguration/configurationStoresMonitoringAndAlertingLowAppConfiguration should have diagnostic settings enabledLearn
77appcs-003Microsoft.AppConfiguration/configurationStoresHighAvailabilityHighAppConfiguration should have a SLALearn
78appcs-004Microsoft.AppConfiguration/configurationStoresSecurityHighAppConfiguration should have private endpoints enabledLearn
79appcs-006Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration Name should comply with naming conventionsLearn
80appcs-007Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration should have tagsLearn
81appcs-008Microsoft.AppConfiguration/configurationStoresSecurityMediumAppConfiguration should have local authentication disabledLearn
82bb4c8db4-f821-475b-b1ea-16e95358665eMicrosoft.AppConfiguration/configurationStoresGovernanceLowEnable Purge protection for Azure App ConfigurationLearn
832102a57a-a056-4d5e-afe5-9df9f92177caMicrosoft.AppConfiguration/configurationStoresHighAvailabilityHighUpgrade to App Configuration Standard tierLearn
84appi-001Microsoft.Insights/componentsHighAvailabilityHighAzure Application Insights SLALearn
85appi-002Microsoft.Insights/componentsGovernanceLowAzure Application Insights Name should comply with naming conventionsLearn
86appi-003Microsoft.Insights/componentsGovernanceLowAzure Application Insights should have tagsLearn
87dac421ec-2832-4c37-839e-b6dc5a38f2faMicrosoft.Insights/componentsServiceUpgradeAndRetirementMediumConvert Classic DeploymentsLearn
88as-001Microsoft.AnalysisServices/serversMonitoringAndAlertingLowAzure Analysis Service should have diagnostic settings enabledLearn
89as-002Microsoft.AnalysisServices/serversHighAvailabilityHighAzure Analysis Service should have a SLALearn
90as-004Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service Name should comply with naming conventionsLearn
91as-005Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service should have tagsLearn
92app-001Microsoft.Web/sitesMonitoringAndAlertingLowApp Service should have diagnostic settings enabledLearn
93app-004Microsoft.Web/sitesSecurityHighApp Service should have private endpoints enabledLearn
94app-006Microsoft.Web/sitesGovernanceLowApp Service Name should comply with naming conventionsLearn
95app-007Microsoft.Web/sitesSecurityHighApp Service should use HTTPS onlyLearn
96app-008Microsoft.Web/sitesGovernanceLowApp Service should have tagsLearn
97app-009Microsoft.Web/sitesSecurityMediumApp Service should use VNET integrationLearn
98app-010Microsoft.Web/sitesSecurityMediumApp Service should have VNET Route all enabled for VNET integrationLearn
99app-011Microsoft.Web/sitesSecurityHighApp Service should use TLS 1.2Learn
100app-012Microsoft.Web/sitesSecurityHighApp Service remote debugging should be disabledLearn
101app-013Microsoft.Web/sitesSecurityHighApp Service should not allow insecure FTPLearn
102app-014Microsoft.Web/sitesScalabilityHighApp Service should have Always On enabledLearn
103app-015Microsoft.Web/sitesHighAvailabilityMediumApp Service should avoid using Client AffinityLearn
104app-016Microsoft.Web/sitesSecurityMediumApp Service should use Managed IdentitiesLearn
105asp-001Microsoft.Web/serverfarmsMonitoringAndAlertingLowPlan should have diagnostic settings enabledLearn
106asp-003Microsoft.Web/serverfarmsHighAvailabilityHighPlan should have a SLALearn
107asp-006Microsoft.Web/serverfarmsGovernanceLowPlan Name should comply with naming conventionsLearn
108asp-007Microsoft.Web/serverfarmsGovernanceLowPlan should have tagsLearn
109func-001Microsoft.Web/sitesMonitoringAndAlertingLowFunction should have diagnostic settings enabledLearn
110func-004Microsoft.Web/sitesSecurityHighFunction should have private endpoints enabledLearn
111func-006Microsoft.Web/sitesGovernanceLowFunction Name should comply with naming conventionsLearn
112func-007Microsoft.Web/sitesSecurityHighFunction should use HTTPS onlyLearn
113func-008Microsoft.Web/sitesGovernanceLowFunction should have tagsLearn
114func-009Microsoft.Web/sitesSecurityMediumFunction should use VNET integrationLearn
115func-010Microsoft.Web/sitesSecurityMediumFunction should have VNET Route all enabled for VNET integrationLearn
116func-011Microsoft.Web/sitesSecurityMediumFunction should use TLS 1.2Learn
117func-012Microsoft.Web/sitesSecurityMediumFunction remote debugging should be disabledLearn
118func-013Microsoft.Web/sitesHighAvailabilityMediumFunction should avoid using Client AffinityLearn
119func-014Microsoft.Web/sitesSecurityMediumFunction should use Managed IdentitiesLearn
120logics-001Microsoft.Web/sitesMonitoringAndAlertingLowLogic App should have diagnostic settings enabledLearn
121logics-004Microsoft.Web/sitesSecurityHighLogic App should have private endpoints enabledLearn
122logics-006Microsoft.Web/sitesGovernanceLowLogic App Name should comply with naming conventionsLearn
123logics-007Microsoft.Web/sitesSecurityHighLogic App should use HTTPS onlyLearn
124logics-008Microsoft.Web/sitesGovernanceLowLogic App should have tagsLearn
125logics-009Microsoft.Web/sitesSecurityMediumLogic App should use VNET integrationLearn
126logics-010Microsoft.Web/sitesSecurityMediumLogic App should have VNET Route all enabled for VNET integrationLearn
127logics-011Microsoft.Web/sitesSecurityMediumLogic App should use TLS 1.2Learn
128logics-012Microsoft.Web/sitesSecurityMediumLogic App remote debugging should be disabledLearn
129logics-013Microsoft.Web/sitesHighAvailabilityMediumLogic App should avoid using Client AffinityLearn
130logics-014Microsoft.Web/sitesSecurityMediumLogic App should use Managed IdentitiesLearn
131b2113023-a553-2e41-9789-597e2fb54c31Microsoft.Web/serverFarmsHighAvailabilityHighUse Standard or Premium tierLearn
13207243659-4643-d44c-a1c6-07ac21635072Microsoft.Web/serverFarmsScalabilityMediumAvoid scaling up or downLearn
133855ca19a-6518-4f2e-9e5a-01796fbca9f8Microsoft.Web/serverFarmsScalabilityHighSet minimum instance count to 2 for app serviceLearn
13488cb90c2-3b99-814b-9820-821a63f600ddMicrosoft.Web/serverFarmsHighAvailabilityHighMigrate App Service to availability Zone SupportLearn
135a1d91661-32d4-430b-b3b6-5adeb0975df7Microsoft.Web/sitesGovernanceLowDeploy to a staging slotLearn
1360b80b67c-afbe-4988-ad58-a85a146b681eMicrosoft.Web/sitesOtherBestPracticesMediumStore configuration as app settingsLearn
137fd049c28-ae6d-48f0-a641-cc3ba1a3fe1dMicrosoft.Web/sitesOtherBestPracticesHighEnable Health check for App ServicesLearn
138aab6b4a4-9981-43a4-8728-35c7ecbb746dMicrosoft.Web/sitesGovernanceMediumConfigure network access restrictionsLearn
139c6c4b962-5af4-447a-9d74-7b9c53a5dff5Microsoft.Web/sitesHighAvailabilityLowEnable auto heal for Functions AppLearn
1409ec5b4c8-3dd8-473a-86ee-3273290331b9Microsoft.AVS/privateCloudsHighAvailabilityLowEnable Stretched Clusters for Multi-AZ Availability of the vSAN DatastoreLearn
1414232eb32-3241-4049-9e14-9b8005817b56Microsoft.AVS/privateCloudsMonitoringAndAlertingHighConfigure Azure Monitor Alert warning thresholds for vSAN datastore utilizationLearn
1424ee5d535-c47b-470a-9557-4a3dd297d62fMicrosoft.AVS/privateCloudsMonitoringAndAlertingHighMonitor CPU Utilization to ensure sufficient resources for workloadsLearn
14374fcb9f2-9a25-49a6-8c42-d32851c4afb7Microsoft.AVS/privateCloudsMonitoringAndAlertingHighConfigure Azure Service Health notifications and alerts for Azure VMware SolutionLearn
144029208c8-5186-4a76-8ee8-6e3445fef4ddMicrosoft.AVS/privateCloudsMonitoringAndAlertingHighMonitor Memory Utilization to ensure sufficient resources for workloadsLearn
145ca-003Microsoft.App/containerAppsHighAvailabilityHighContainerApp should have a SLALearn
146ca-006Microsoft.App/containerAppsGovernanceLowContainerApp Name should comply with naming conventionsLearn
147ca-007Microsoft.App/containerAppsGovernanceLowContainerApp should have tagsLearn
148ca-008Microsoft.App/containerAppsSecurityLowContainerApp should not allow insecure ingress trafficLearn
149ca-009Microsoft.App/containerAppsSecurityLowContainerApp should use Managed IdentitiesLearn
150ca-010Microsoft.App/containerAppsHighAvailabilityLowContainerApp should use Azure Files to persist container dataLearn
151ca-011Microsoft.App/containerAppsHighAvailabilityLowContainerApp should avoid using session affinityLearn
152cae-001Microsoft.App/managedenvironmentsMonitoringAndAlertingLowContainer Apps Environment should have diagnostic settings enabledLearn
153cae-003Microsoft.App/managedenvironmentsHighAvailabilityHighContainer Apps Environment should have a SLALearn
154cae-004Microsoft.App/managedenvironmentsSecurityHighContainer Apps Environment should have private endpoints enabledLearn
155cae-006Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment Name should comply with naming conventionsLearn
156cae-007Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment should have tagsLearn
157f4201965-a88d-449d-b3b4-021394719eb2Microsoft.App/managedenvironmentsHighAvailabilityHighDeploy zone redundant Container app environmentsLearn
158ci-002Microsoft.ContainerInstance/containerGroupsHighAvailabilityHighContainerInstance should have availability zones enabledLearn
159ci-003Microsoft.ContainerInstance/containerGroupsHighAvailabilityHighContainerInstance should have a SLALearn
160ci-004Microsoft.ContainerInstance/containerGroupsSecurityHighContainerInstance should use private IP addressesLearn
161ci-006Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance Name should comply with naming conventionsLearn
162ci-007Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance should have tagsLearn
163cog-001Microsoft.CognitiveServices/accountsMonitoringAndAlertingLowCognitive Service Account should have diagnostic settings enabledLearn
164cog-003Microsoft.CognitiveServices/accountsHighAvailabilityHighCognitive Service Account should have a SLALearn
165cog-004Microsoft.CognitiveServices/accountsSecurityHighCognitive Service Account should have private endpoints enabledLearn
166cog-006Microsoft.CognitiveServices/accountsGovernanceLowCognitive Service Account Name should comply with naming conventionsLearn
167cog-007Microsoft.CognitiveServices/accountsGovernanceLowCognitive Service Account should have tagsLearn
168cog-008Microsoft.CognitiveServices/accountsSecurityMediumCognitive Service Account should have local authentication disabledLearn
169f6a14b32-a727-4ace-b5fa-7b1c6bdff402Microsoft.Network/connectionsScalabilityMediumFor better data path performance enable FastPath on ExpressRoute ConnectionsLearn
170cosmos-001Microsoft.DocumentDB/databaseAccountsMonitoringAndAlertingLowCosmosDB should have diagnostic settings enabledLearn
171cosmos-002Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighCosmosDB should have availability zones enabledLearn
172cosmos-003Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighCosmosDB should have a SLALearn
173cosmos-004Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have private endpoints enabledLearn
174cosmos-006Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB Name should comply with naming conventionsLearn
175cosmos-007Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB should have tagsLearn
176cosmos-008Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have local authentication disabledLearn
177cosmos-009Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keysLearn
17843663217-a1d3-844b-80ea-571a2ce37c6cMicrosoft.DocumentDB/databaseAccountsHighAvailabilityHighConfigure at least two regions for high availabilityLearn
179921631f6-ed59-49a5-94c1-f0f3ececa580Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighEnable availability zonesLearn
1809cabded7-a1fc-6e4a-944b-d7dd98ea31a2Microsoft.DocumentDB/databaseAccountsDisasterRecoveryHighEnable service-managed failover for multi-region accounts with single write regionLearn
1819ce78192-74a0-104c-b5bb-9a443f941649Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighEvaluate multi-region write capabilityLearn
182e544520b-8505-7841-9e77-1f1974ee86ecMicrosoft.DocumentDB/databaseAccountsDisasterRecoveryHighConfigure continuous backup modeLearn
183cr-001Microsoft.ContainerRegistry/registriesMonitoringAndAlertingLowContainerRegistry should have diagnostic settings enabledLearn
184cr-003Microsoft.ContainerRegistry/registriesHighAvailabilityHighContainerRegistry should have a SLALearn
185cr-004Microsoft.ContainerRegistry/registriesSecurityHighContainerRegistry should have private endpoints enabledLearn
186cr-006Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry Name should comply with naming conventionsLearn
187cr-008Microsoft.ContainerRegistry/registriesSecurityMediumContainerRegistry should have the Administrator account disabledLearn
188cr-009Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry should have tagsLearn
189cr-010Microsoft.ContainerRegistry/registriesGovernanceMediumContainerRegistry should use retention policiesLearn
1903ef86f16-f65b-c645-9901-7830d6dc3a1bMicrosoft.ContainerRegistry/registriesScalabilityMediumManage registry sizeLearn
19103f4a7d8-c5b4-7842-8e6e-14997a34842bMicrosoft.ContainerRegistry/registriesSecurityMediumDisable anonymous pull accessLearn
192eb005943-40a8-194b-9db2-474d430046b7Microsoft.ContainerRegistry/registriesScalabilityHighUse Premium tier for critical production workloadsLearn
1938e389532-5db5-7e4c-9d4d-443b3e55ae82Microsoft.ContainerRegistry/registriesGovernanceLowMove Container Registry to a dedicated resource groupLearn
194e7f0fd54-fba0-054e-9ab8-e676f2851f88Microsoft.ContainerRegistry/registriesDisasterRecoveryLowEnable soft delete policyLearn
19563491f70-22e4-3b4a-8b0c-845450e46facMicrosoft.ContainerRegistry/registriesHighAvailabilityMediumEnable zone redundancyLearn
19636ea6c09-ef6e-d743-9cfb-bd0c928a430bMicrosoft.ContainerRegistry/registriesDisasterRecoveryHighCreate container registries with geo-replication enabledLearn
197dbw-001Microsoft.Databricks/workspacesMonitoringAndAlertingLowAzure Databricks should have diagnostic settings enabledLearn
198dbw-003Microsoft.Databricks/workspacesHighAvailabilityHighAzure Databricks should have a SLALearn
199dbw-004Microsoft.Databricks/workspacesSecurityHighAzure Databricks should have private endpoints enabledLearn
200dbw-006Microsoft.Databricks/workspacesGovernanceLowAzure Databricks Name should comply with naming conventionsLearn
201dbw-007Microsoft.Databricks/workspacesSecurityMediumAzure Databricks should have the Public IP disabledLearn
202dec-001Microsoft.Kusto/clustersMonitoringAndAlertingLowAzure Data Explorer should have diagnostic settings enabledLearn
203dec-002Microsoft.Kusto/clustersHighAvailabilityHighAzure Data Explorer SLALearn
204dec-003Microsoft.Kusto/clustersHighAvailabilityHighAzure Data Explorer Production Cluster should not use Dev SKULearn
205dec-004Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer Name should comply with naming conventionsLearn
206dec-005Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer should have tagsLearn
207dec-008Microsoft.Kusto/clustersSecurityHighAzure Data Explorer should use Disk EncryptionLearn
208dec-009Microsoft.Kusto/clustersSecurityLowAzure Data Explorer should use Managed IdentitiesLearn
209fa0cf4f5-0b21-47b7-89a9-ee936f193ce1Microsoft.Compute/disksHighAvailabilityMediumUse Azure Disks with Zone Redundant Storage for higher resiliency and availabilityLearn
2103263a64a-c256-de48-9818-afd3cbc55c2aMicrosoft.Compute/disksOtherBestPracticesMediumShared disks should only be enabled in clustered serversLearn
211d40c769d-2f08-4980-8d8f-a386946276e6Microsoft.Network/expressRouteCircuitsScalabilityMediumImplement rate-limiting across ExpressRoute Direct Circuits to optimize network flowLearn
21260077378-7cb1-4b35-89bb-393884d9921dMicrosoft.Network/ExpressRoutePortsHighAvailabilityHighThe Admin State of both Links of an ExpressRoute Direct should be in Enabled stateLearn
2130bee356b-7348-4799-8cab-0c71ffe13018Microsoft.Network/ExpressRoutePortsScalabilityMediumEnsure ExpressRoute Direct is not over-subscribedLearn
214evgd-001Microsoft.EventGrid/domainsMonitoringAndAlertingLowEvent Grid Domain should have diagnostic settings enabledLearn
215evgd-003Microsoft.EventGrid/domainsHighAvailabilityHighEvent Grid Domain should have a SLALearn
216evgd-004Microsoft.EventGrid/domainsSecurityHighEvent Grid Domain should have private endpoints enabledLearn
217evgd-006Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain Name should comply with naming conventionsLearn
218evgd-007Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain should have tagsLearn
219evgd-008Microsoft.EventGrid/domainsSecurityMediumEvent Grid Domain should have local authentication disabledLearn
220evh-001Microsoft.EventHub/namespacesMonitoringAndAlertingLowEvent Hub Namespace should have diagnostic settings enabledLearn
221evh-003Microsoft.EventHub/namespacesHighAvailabilityHighEvent Hub Namespace should have a SLALearn
222evh-004Microsoft.EventHub/namespacesSecurityHighEvent Hub Namespace should have private endpoints enabledLearn
223evh-006Microsoft.EventHub/namespacesGovernanceLowEvent Hub Namespace Name should comply with naming conventionsLearn
224evh-007Microsoft.EventHub/namespacesGovernanceLowEvent Hub should have tagsLearn
225evh-008Microsoft.EventHub/namespacesSecurityMediumEvent Hub should have local authentication disabledLearn
226fbfef3df-04a5-41b2-a8fd-b8541eb04956Microsoft.EventHub/namespacesScalabilityHighEnable auto-inflate on Event Hub Standard tierLearn
22784636c6c-b317-4722-b603-7b1ffc16384bMicrosoft.EventHub/namespacesHighAvailabilityHighEnsure zone redundancy is enabled in supported regionsLearn
228b49a39fd-f431-4b61-9062-f2157849d845Microsoft.Compute/galleriesHighAvailabilityMediumA minimum of three replicas should be kept for production image versionsLearn
229488dcc8b-f2e3-40ce-bf95-73deb2db095fMicrosoft.Compute/galleriesHighAvailabilityMediumZone redundant storage should be used for image versionsLearn
2301c5e1e58-4e56-491c-8529-10f37af9d4edMicrosoft.Compute/galleriesHighAvailabilityLowConsider creating TrustedLaunchSupported images where possibleLearn
231e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1eMicrosoft.Devices/IotHubsMonitoringAndAlertingLowDisabled Fallback RouteLearn
232eeba3a49-fef0-481f-a471-7ff01139b474Microsoft.Devices/IotHubsHighAvailabilityHighDo not use free tierLearn
233b1e1378d-4572-4414-bebd-b8872a6d4d1cMicrosoft.Devices/IotHubsScalabilityHighUse Device Provisioning ServiceLearn
234it-006Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template Name should comply with naming conventionsLearn
235it-007Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template should have tagsLearn
23621fb841b-ba70-1f4e-a460-1f72fb41aa51Microsoft.VirtualMachineImages/imageTemplatesDisasterRecoveryLowReplicate your Image Templates to a secondary regionLearn
237kv-001Microsoft.KeyVault/vaultsMonitoringAndAlertingLowKey Vault should have diagnostic settings enabledLearn
238kv-003Microsoft.KeyVault/vaultsHighAvailabilityHighKey Vault should have a SLALearn
239kv-006Microsoft.KeyVault/vaultsGovernanceLowKey Vault Name should comply with naming conventionsLearn
240kv-007Microsoft.KeyVault/vaultsGovernanceLowKey Vault should have tagsLearn
2411cca00d2-d9ab-8e42-a788-5d40f49405cbMicrosoft.KeyVault/vaultsDisasterRecoveryHighKey vaults should have soft delete enabledLearn
24270fcfe6d-00e9-5544-a63a-fff42b9f2edbMicrosoft.KeyVault/vaultsDisasterRecoveryMediumKey vaults should have purge protection enabledLearn
24300c3d2b0-ea6e-4c4b-89be-b78a35caeb51Microsoft.KeyVault/vaultsSecurityMediumPrivate endpoint should be configured for Key VaultLearn
244lb-001Microsoft.Network/loadBalancersMonitoringAndAlertingLowLoad Balancer should have diagnostic settings enabledLearn
245lb-003Microsoft.Network/loadBalancersHighAvailabilityHighLoad Balancer should have a SLALearn
246lb-006Microsoft.Network/loadBalancersGovernanceLowLoad Balancer Name should comply with naming conventionsLearn
247lb-007Microsoft.Network/loadBalancersGovernanceLowLoad Balancer should have tagsLearn
24838c3bca1-97a1-eb42-8cd3-838b243f35baMicrosoft.Network/loadBalancersHighAvailabilityHighUse Standard Load Balancer SKULearn
2496d82d042-6d61-ad49-86f0-6a5455398081Microsoft.Network/loadBalancersHighAvailabilityHighEnsure the Backend Pool contains at least two instancesLearn
2508d319a05-677b-944f-b9b4-ca0fb42e883cMicrosoft.Network/loadBalancersHighAvailabilityMediumUse NAT Gateway instead of Outbound Rules for Production WorkloadsLearn
251621dbc78-3745-4d32-8eac-9e65b27b7512Microsoft.Network/loadBalancersHighAvailabilityHighEnsure Standard Load Balancer is zone-redundantLearn
252e5f5fcea-f925-4578-8599-9a391e888a60Microsoft.Network/loadBalancersMonitoringAndAlertingHighUse Health Probes to detect backend instances availabilityLearn
253log-003Microsoft.OperationalInsights/workspacesHighAvailabilityHighLog Analytics Workspace SLALearn
254log-006Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace Name should comply with naming conventionsLearn
255log-007Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace should have tagsLearn
256logic-001Microsoft.Logic/workflowsMonitoringAndAlertingLowLogic App should have diagnostic settings enabledLearn
257logic-003Microsoft.Logic/workflowsHighAvailabilityHighLogic App should have a SLALearn
258logic-004Microsoft.Logic/workflowsSecurityHighLogic App should limit access to Http TriggersLearn
259logic-006Microsoft.Logic/workflowsGovernanceLowLogic App Name should comply with naming conventionsLearn
260logic-007Microsoft.Logic/workflowsGovernanceLowLogic App should have tagsLearn
261maria-001Microsoft.DBforMariaDB/serversMonitoringAndAlertingLowMariaDB should have diagnostic settings enabledLearn
262maria-002Microsoft.DBforMariaDB/serversSecurityHighMariaDB should have private endpoints enabledLearn
263maria-003Microsoft.DBforMariaDB/serversGovernanceLowMariaDB server Name should comply with naming conventionsLearn
264maria-004Microsoft.DBforMariaDB/serversHighAvailabilityHighMariaDB server should have a SLALearn
265maria-005Microsoft.DBforMariaDB/serversGovernanceLowMariaDB should have tagsLearn
266maria-006Microsoft.DBforMariaDB/serversSecurityLowMariaDB should enforce TLS >= 1.2Learn
267mysql-001Microsoft.DBforMySQL/serversMonitoringAndAlertingLowAzure Database for MySQL - Single Server should have diagnostic settings enabledLearn
268mysql-003Microsoft.DBforMySQL/serversHighAvailabilityHighAzure Database for MySQL - Single Server should have a SLALearn
269mysql-004Microsoft.DBforMySQL/serversSecurityHighAzure Database for MySQL - Single Server should have private endpoints enabledLearn
270mysql-006Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server Name should comply with naming conventionsLearn
271mysql-007Microsoft.DBforMySQL/serversHighAvailabilityHighAzure Database for MySQL - Single Server is on the retirement pathLearn
272mysql-008Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server should have tagsLearn
273mysqlf-001Microsoft.DBforMySQL/flexibleServersMonitoringAndAlertingLowAzure Database for MySQL - Flexible Server should have diagnostic settings enabledLearn
274mysqlf-003Microsoft.DBforMySQL/flexibleServersHighAvailabilityHighAzure Database for MySQL - Flexible Server should have a SLALearn
275mysqlf-004Microsoft.DBforMySQL/flexibleServersSecurityHighAzure Database for MySQL - Flexible Server should have private access enabledLearn
276mysqlf-006Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server Name should comply with naming conventionsLearn
277mysqlf-007Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server should have tagsLearn
27888856605-53d8-4bbd-a75b-4a7b14939d32Microsoft.DBforMySQL/flexibleServersHighAvailabilityHighEnable HA with zone redundancyLearn
27982a9a0f2-24ee-496f-9ad2-25f81710942dMicrosoft.DBforMySQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
2805c96afc3-7d2e-46ff-a4c7-9c32850c441bMicrosoft.DBforMySQL/flexibleServersDisasterRecoveryHighConfigure geo redundant backup storageLearn
281b49a8653-cc43-48c9-8513-a2d2e3f14dd1Microsoft.DBforMySQL/flexibleServersDisasterRecoveryHighConfigure one or more read replicasLearn
2828176a79d-8645-4e52-96be-a10fc0204fe5Microsoft.DBforMySQL/flexibleServersScalabilityHighConfigure storage auto-growLearn
283e30317d2-c502-4dfe-a2d3-0a737cc79545Microsoft.NetApp/netAppAccountsDisasterRecoveryHighEnable Cross-region replication of Azure NetApp Files volumesLearn
284e3d742e1-dacd-9b48-b6b1-510ec9f87c96Microsoft.NetApp/netAppAccountsDisasterRecoveryHighEnable Cross-zone replication of Azure NetApp Files volumesLearn
285ab984130-c57b-6c4a-8d04-6723b4e1bdb6Microsoft.NetApp/netAppAccountsScalabilityHighUse standard network features for production in Azure NetApp FilesLearn
28647d100a5-7f85-5742-967a-67eb5081240aMicrosoft.NetApp/netAppAccountsHighAvailabilityHighUse availability zones for high availability in Azure NetApp FilesLearn
28772827434-c773-4345-9493-34848ddf5803Microsoft.NetApp/netAppAccountsHighAvailabilityHighUse snapshots for data protection in Azure NetApp FilesLearn
288b2fb3e60-97ec-e34d-af29-b16a0d61c2acMicrosoft.NetApp/netAppAccountsDisasterRecoveryHighEnable backup for data protection in Azure NetApp FilesLearn
289ng-001Microsoft.Network/natGatewaysMonitoringAndAlertingLowNAT Gateway should have diagnostic settings enabledLearn
290ng-003Microsoft.Network/natGatewaysHighAvailabilityHighNAT Gateway SLALearn
291ng-006Microsoft.Network/natGatewaysGovernanceLowNAT Gateway Name should comply with naming conventionsLearn
292ng-007Microsoft.Network/natGatewaysGovernanceLowNAT Gateway should have tagsLearn
293nsg-001Microsoft.Network/networkSecurityGroupsMonitoringAndAlertingLowNSG should have diagnostic settings enabledLearn
294nsg-003Microsoft.Network/networkSecurityGroupsHighAvailabilityHighNSG SLALearn
295nsg-006Microsoft.Network/networkSecurityGroupsGovernanceLowNSG Name should comply with naming conventionsLearn
296nsg-007Microsoft.Network/networkSecurityGroupsGovernanceLowNSG should have tagsLearn
2978bb4a57b-55e4-d24e-9c19-2679d8bc779fMicrosoft.Network/networkSecurityGroupsMonitoringAndAlertingLowMonitor changes in Network Security Groups with Azure MonitorLearn
2988291c1fa-650c-b44b-b008-4deb7465919dMicrosoft.Network/networkSecurityGroupsSecurityMediumThe NSG only has Default Security Rules, make sure to configure the necessary rulesLearn
299nw-003Microsoft.Network/networkWatchersHighAvailabilityHighNetwork Watcher SLALearn
300nw-006Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher Name should comply with naming conventionsLearn
301nw-007Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher should have tagsLearn
30222a769ed-0ecb-8b49-bafe-8f52e6373d9cMicrosoft.Network/networkWatchersMonitoringAndAlertingLowFix Flow Log configurations in Failed state or Disabled StatusLearn
303bf0b7dbd-016d-458c-af99-70fcb03ad451Microsoft.Network/networkWatchersMonitoringAndAlertingMediumEnable traffic analytics in Virtual Network Flow Logs configurationLearn
304pep-003Microsoft.Network/privateEndpointsHighAvailabilityHighPrivate Endpoint SLALearn
305pep-006Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint Name should comply with naming conventionsLearn
306pep-007Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint should have tagsLearn
307b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7Microsoft.Network/privateEndpointsHighAvailabilityMediumResolve issues with Private Endpoints in non Succeeded connection stateLearn
308pip-003Microsoft.Network/publicIPAddressesHighAvailabilityHighPublic IP SLALearn
309pip-006Microsoft.Network/publicIPAddressesGovernanceLowPublic IP Name should comply with naming conventionsLearn
310pip-007Microsoft.Network/publicIPAddressesGovernanceLowPublic IP should have tagsLearn
3115cea1501-6fe4-4ec4-ac8f-f72320eb18d3Microsoft.Network/publicIPAddressesHighAvailabilityMediumUpgrade Basic SKU public IP addresses to Standard SKULearn
312c4254c66-b8a5-47aa-82f6-e7d7fb418f47Microsoft.Network/publicIPAddressesSecurityMediumPublic IP addresses should have DDoS protection enabledLearn
313c63b81fb-7afc-894c-a840-91bb8a8dcfafMicrosoft.Network/publicIPAddressesHighAvailabilityHighUse Standard SKU and Zone-Redundant IPs when applicableLearn
3141adba190-5c4c-e646-8527-dd1b2a6d8b15Microsoft.Network/publicIPAddressesHighAvailabilityMediumUse NAT gateway for outbound connectivity to avoid SNAT ExhaustionLearn
315psql-001Microsoft.DBforPostgreSQL/serversMonitoringAndAlertingLowPostgreSQL should have diagnostic settings enabledLearn
316psql-003Microsoft.DBforPostgreSQL/serversHighAvailabilityHighPostgreSQL should have a SLALearn
317psql-004Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should have private endpoints enabledLearn
318psql-006Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
319psql-007Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL should have tagsLearn
320psql-008Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should enforce SSLLearn
321psql-009Microsoft.DBforPostgreSQL/serversSecurityLowPostgreSQL should enforce TLS >= 1.2Learn
322psqlf-001Microsoft.DBforPostgreSQL/flexibleServersMonitoringAndAlertingLowPostgreSQL should have diagnostic settings enabledLearn
323psqlf-003Microsoft.DBforPostgreSQL/flexibleServersHighAvailabilityHighPostgreSQL should have a SLALearn
324psqlf-004Microsoft.DBforPostgreSQL/flexibleServersSecurityHighPostgreSQL should have private access enabledLearn
325psqlf-006Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
326psqlf-007Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL should have tagsLearn
327ca87914f-aac4-4783-ab67-82a6f936f194Microsoft.DBforPostgreSQL/flexibleServersHighAvailabilityHighEnable HA with zone redundancyLearn
328b2bad57d-7e03-4c0f-9024-597c9eb295bbMicrosoft.DBforPostgreSQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
32931f4ac4b-29cb-4588-8de2-d8fe6f13ceb3Microsoft.DBforPostgreSQL/flexibleServersDisasterRecoveryHighConfigure geo redundant backup storageLearn
3302ab85a67-26be-4ed2-a0bb-101b2513ec63Microsoft.DBforPostgreSQL/flexibleServersDisasterRecoveryHighConfigure one or more read replicasLearn
331redis-001Microsoft.Cache/RedisMonitoringAndAlertingLowRedis should have diagnostic settings enabledLearn
332redis-003Microsoft.Cache/RedisHighAvailabilityHighRedis should have a SLALearn
333redis-006Microsoft.Cache/RedisGovernanceLowRedis Name should comply with naming conventionsLearn
334redis-007Microsoft.Cache/RedisGovernanceLowRedis should have tagsLearn
335redis-008Microsoft.Cache/RedisSecurityHighRedis should not enable non SSL portsLearn
336redis-009Microsoft.Cache/RedisSecurityLowRedis should enforce TLS >= 1.2Learn
3375a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8Microsoft.Cache/RedisHighAvailabilityHighEnable zone redundancy for Azure Cache for RedisLearn
338c474fc96-4e6a-4fb0-95d0-a26b3f35933cMicrosoft.Cache/redisSecurityMediumConfigure Private EndpointsLearn
3392912472d-0198-4bdc-aa90-37f145790edcMicrosoft.RecoveryServices/vaultsMonitoringAndAlertingMediumMigrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services VaultsLearn
3401549b91f-2ea0-4d4f-ba2a-4596becbe3deMicrosoft.RecoveryServices/vaultsDisasterRecoveryMediumEnable Cross Region Restore for your GRS Recovery Services VaultLearn
3419e39919b-78af-4a0b-b70f-c548dae97c25Microsoft.RecoveryServices/vaultsDisasterRecoveryMediumEnable Soft Delete for Recovery Services Vaults in Azure BackupLearn
34217e877f7-3a89-4205-8a24-0670de54ddcdMicrosoft.RecoveryServices/vaultsDisasterRecoveryHighValidate VM functionality with a Site Recovery test failover to check performance at targetLearn
343udr-003Microsoft.Network/routeTablesHighAvailabilityHighRout Table SLALearn
344udr-006Microsoft.Network/routeTablesGovernanceLowRout Table Name should comply with naming conventionsLearn
345udr-007Microsoft.Network/routeTablesGovernanceLowRout Table should have tagsLearn
34623b2dfc7-7e5d-9443-9f62-980ca621b561Microsoft.Network/routeTablesMonitoringAndAlertingMediumMonitor changes in Route Tables with Azure MonitorLearn
347sb-001Microsoft.ServiceBus/namespacesMonitoringAndAlertingLowService Bus should have diagnostic settings enabledLearn
348sb-003Microsoft.ServiceBus/namespacesHighAvailabilityHighService Bus should have a SLALearn
349sb-004Microsoft.ServiceBus/namespacesSecurityHighService Bus should have private endpoints enabledLearn
350sb-006Microsoft.ServiceBus/namespacesGovernanceLowService Bus Name should comply with naming conventionsLearn
351sb-007Microsoft.ServiceBus/namespacesGovernanceLowService Bus should have tagsLearn
352sb-008Microsoft.ServiceBus/namespacesSecurityMediumService Bus should have local authentication disabledLearn
353f075a1bd-de9e-4819-9a1d-1ac41037a74fMicrosoft.ServiceBus/namespacesServiceUpgradeAndRetirementHighConfigure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higherLearn
354sigr-001Microsoft.SignalRService/SignalRMonitoringAndAlertingLowSignalR should have diagnostic settings enabledLearn
355sigr-003Microsoft.SignalRService/SignalRHighAvailabilityHighSignalR should have a SLALearn
356sigr-004Microsoft.SignalRService/SignalRSecurityHighSignalR should have private endpoints enabledLearn
357sigr-006Microsoft.SignalRService/SignalRGovernanceLowSignalR Name should comply with naming conventionsLearn
358sigr-007Microsoft.SignalRService/SignalRGovernanceLowSignalR should have tagsLearn
3596a8b3db9-5773-413a-a127-4f7032f34bbdMicrosoft.SignalRService/SignalRHighAvailabilityHighEnable zone redundancy for SignalRLearn
360sql-004Microsoft.Sql/serversSecurityHighSQL should have private endpoints enabledLearn
361sql-006Microsoft.Sql/serversGovernanceLowSQL Name should comply with naming conventionsLearn
362sql-007Microsoft.Sql/serversGovernanceLowSQL should have tagsLearn
363sql-008Microsoft.Sql/serversSecurityLowSQL should enforce TLS >= 1.2Learn
364sqldb-001Microsoft.Sql/servers/databasesMonitoringAndAlertingLowSQL Database should have diagnostic settings enabledLearn
365sqldb-003Microsoft.Sql/servers/databasesHighAvailabilityHighSQL Database should have a SLALearn
366sqldb-006Microsoft.Sql/servers/databasesGovernanceLowSQL Database Name should comply with naming conventionsLearn
367sqldb-007Microsoft.Sql/servers/databasesGovernanceLowSQL Database should have tagsLearn
368sqlep-002Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool Name should comply with naming conventionsLearn
369sqlep-003Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool should have tagsLearn
3707e7daec9-6a81-3546-a4cc-9aef72fec1f7Microsoft.Sql/serversMonitoringAndAlertingHighMonitor your Azure SQL Database in Near Real-Time to Detect Reliability IncidentsLearn
37174c2491d-048b-0041-a140-935960220e20Microsoft.Sql/serversDisasterRecoveryHighUse Active Geo Replication to Create a Readable Secondary in Another RegionLearn
372943c168a-2ec2-a94c-8015-85732a1b4859Microsoft.Sql/serversDisasterRecoveryHighAuto Failover Groups can encompass one or multiple databases, usually used by the same app.Learn
373c0085c32-84c0-c247-bfa9-e70977cbf108Microsoft.Sql/serversHighAvailabilityHighEnable zone redundancy for Azure SQL Database to achieve high availability and resiliencyLearn
374st-001Microsoft.Storage/storageAccountsMonitoringAndAlertingLowStorage should have diagnostic settings enabledLearn
375st-003Microsoft.Storage/storageAccountsHighAvailabilityHighStorage should have a SLALearn
376st-006Microsoft.Storage/storageAccountsGovernanceLowStorage Name should comply with naming conventionsLearn
377st-007Microsoft.Storage/storageAccountsSecurityHighStorage Account should use HTTPS onlyLearn
378st-008Microsoft.Storage/storageAccountsGovernanceLowStorage Account should have tagsLearn
379st-009Microsoft.Storage/storageAccountsSecurityLowStorage Account should enforce TLS >= 1.2Learn
380st-010Microsoft.Storage/storageAccountsDisasterRecoveryLowStorage Account should have inmutable storage versioning enabledLearn
381st-011Microsoft.Storage/storageAccountsDisasterRecoveryMediumStorage Account should have soft delete enabledLearn
3822ad78dec-5a4d-4a30-8fd1-8584335ad781Microsoft.Storage/storageAccountsScalabilityLowConsider upgrading legacy storage accounts to v2 storage accountsLearn
383dc55be60-6f8c-461e-a9d5-a3c7686ed94eMicrosoft.Storage/storageAccountsSecurityMediumEnable Azure Private Link service for storage accountsLearn
384e6c7e1cc-2f47-264d-aa50-1da421314472Microsoft.Storage/storageAccountsHighAvailabilityHighEnsure that storage accounts are zone or region redundantLearn
385syndp-001Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool Name should comply with naming conventionsLearn
386syndp-002Microsoft.Synapse/workspaces/sqlPoolsHighAvailabilityHighAzure Synapse Dedicated SQL Pool SLALearn
387syndp-003Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool should have tagsLearn
388synsp-001Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool Name should comply with naming conventionsLearn
389synsp-002Microsoft.Synapse workspaces/bigDataPoolsHighAvailabilityHighAzure Synapse Spark Pool SLALearn
390synsp-003Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool should have tagsLearn
391synw-001Microsoft.Synapse/workspacesMonitoringAndAlertingLowAzure Synapse Workspace should have diagnostic settings enabledLearn
392synw-002Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should have private endpoints enabledLearn
393synw-003Microsoft.Synapse/workspacesHighAvailabilityHighAzure Synapse Workspace SLALearn
394synw-004Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace Name should comply with naming conventionsLearn
395synw-005Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace should have tagsLearn
396synw-006Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should establish network segmentation boundariesLearn
397synw-007Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should disable public network accessLearn
398traf-001Microsoft.Network/trafficManagerProfilesMonitoringAndAlertingLowTraffic Manager should have diagnostic settings enabledLearn
399traf-002Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager should have availability zones enabledLearn
400traf-003Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager should have a SLALearn
401traf-006Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager Name should comply with naming conventionsLearn
402traf-007Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager should have tagsLearn
403traf-009Microsoft.Network/trafficManagerProfilesSecurityHighTraffic Manager: HTTP endpoints should be monitored using HTTPSLearn
404f05a3e6d-49db-2740-88e2-2b13706c1f67Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager Monitor Status Should be OnlineLearn
4055b422a7f-8caa-3d48-becb-511599e5bba9Microsoft.Network/trafficManagerProfilesHighAvailabilityMediumTraffic manager profiles should have more than one endpointLearn
4061ad9d7b7-9692-1441-a8f4-93792efbe97aMicrosoft.Network/trafficManagerProfilesDisasterRecoveryMediumConfigure at least one endpoint within a another regionLearn
407c31f76a0-48cd-9f44-aa43-99ee904db9bcMicrosoft.Network/trafficManagerProfilesDisasterRecoveryHighEnsure endpoint configured to (All World) for geographic profilesLearn
4089437634c-d69e-2747-b13e-631c13182150Microsoft.Network/trafficManagerProfilesBusinessContinuityHighAvoid combining Traffic Manager and Front DoorLearn
409979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7Microsoft.DesktopVirtualization/hostPoolsGovernanceMediumConfigure host pool scheduled agent updatesLearn
410vgw-001Microsoft.Network/virtualNetworkGatewaysMonitoringAndAlertingLowVirtual Network Gateway should have diagnostic settings enabledLearn
411vgw-002Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway Name should comply with naming conventionsLearn
412vgw-003Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway should have tagsLearn
413vgw-004Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighVirtual Network Gateway should have a SLALearn
414vgw-005Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighStorage should have availability zones enabledLearn
4153e115044-a3aa-433e-be01-ce17d67e50daMicrosoft.Network/virtualNetworkGatewaysHighAvailabilityMediumConfigure customer-controlled ExpressRoute gateway maintenanceLearn
4164bae5a28-5cf4-40d9-bcf1-623d28f6d917Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighDeploy VPN gateways with zone-redundant Public IPsLearn
417d37db635-157f-584d-9bce-4f6fc8c65ce5Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighConnect ExpressRoute gateway with circuits from diverse peering locationsLearn
418bbe668b7-eb5c-c746-8b82-70afdedf0caeMicrosoft.Network/virtualNetworkGatewaysHighAvailabilityHighUse Zone-redundant ExpressRoute gateway SKUsLearn
4195b1933a6-90e4-f642-a01f-e58594e5aab2Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighChoose a Zone-redundant VPN gatewayLearn
420281a2713-c0e0-3c48-b596-19f590c46671Microsoft.Network/virtualNetworkGatewaysHighAvailabilityMediumEnable Active-Active VPN Gateways for redundancyLearn
421vm-003Microsoft.Compute/virtualMachinesHighAvailabilityHighVirtual Machine should have a SLALearn
422vm-006Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine Name should comply with naming conventionsLearn
423vm-007Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine should have tagsLearn
424122d11d7-b91f-8747-a562-f56b79bcfbdcMicrosoft.Compute/virtualMachinesHighAvailabilityHighUse Managed Disks for VM disksLearn
42582b3cf6b-9ae2-2e44-b193-10793213f676Microsoft.Compute/virtualMachinesSecurityLowVM network interfaces and associated subnets both have a Network Security Group associatedLearn
4261cf8fe21-9593-1e4e-966b-779a294c0d30Microsoft.Compute/virtualMachinesOtherBestPracticesLowCustomer DNS Servers should be configured in the Virtual Network levelLearn
4272bd0be95-a825-6f47-a8c6-3db1fb5eb387Microsoft.Compute/virtualMachinesHighAvailabilityHighDeploy VMs across Availability ZonesLearn
428a8d25876-7951-b646-b4e8-880c9031596bMicrosoft.Compute/virtualMachinesHighAvailabilityHighMigrate VMs using availability sets to VMSS FlexLearn
429b72214bb-e879-5f4b-b9cd-642db84f36f4Microsoft.Compute/virtualMachinesMonitoringAndAlertingLowEnable VM InsightsLearn
4303201dba8-d1da-4826-98a4-104066545170Microsoft.Compute/virtualMachinesScalabilityHighDon’t use A or B-Series VMs for production needing constant full CPU performanceLearn
431cfe22a65-b1db-fd41-9e8e-d573922709aeMicrosoft.Compute/virtualMachinesDisasterRecoveryMediumReplicate VMs using Azure Site RecoveryLearn
432dfedbeb1-1519-fc47-86a5-52f96cf07105Microsoft.Compute/virtualMachinesScalabilityMediumEnable Accelerated Networking (AccelNet)Learn
4331981f704-97b9-b645-9c57-33f8ded9261aMicrosoft.Compute/virtualMachinesDisasterRecoveryMediumBackup VMs with Azure Backup serviceLearn
43498b334c0-8578-6046-9e43-b6e8fce6318eMicrosoft.Compute/virtualMachinesGovernanceLowReview VMs in stopped stateLearn
435c42343ae-2712-2843-a285-3437eb0b28a1Microsoft.Compute/virtualMachinesGovernanceLowEnsure that your VMs are compliant with Azure PoliciesLearn
4361f629a30-c9d0-d241-82ee-6f2eb9d42cb4Microsoft.Compute/virtualMachinesSecurityMediumVMs should not have a Public IP directly associatedLearn
43770b1d2be-e6c4-b54e-9959-b1b690f9e485Microsoft.Compute/virtualMachinesSecurityLowNetwork access to the VM disk should be set to Disable public access and enable private accessLearn
4384a9d8973-6dba-0042-b3aa-07924877ebd5Microsoft.Compute/virtualMachinesMonitoringAndAlertingLowConfigure monitoring for all Azure Virtual MachinesLearn
4394ea2878f-0d69-8d4a-b715-afc10d1e538eMicrosoft.Compute/virtualMachinesScalabilityLowHost database data on a data diskLearn
44041a22a5e-5e08-9647-92d0-2ffe9ef1bdadMicrosoft.Compute/virtualMachinesSecurityMediumIP Forwarding should only be enabled for Network Virtual AppliancesLearn
441f0a97179-133a-6e4f-8a49-8a44da73ffceMicrosoft.Compute/virtualMachinesSecurityHighVirtual Machines should have Azure Disk Encryption or EncryptionAtHost enabledLearn
442273f6b30-68e0-4241-85ea-acf15ffb60bfMicrosoft.Compute/virtualMachinesHighAvailabilityHighRun production workloads on two or more VMs using VMSS FlexLearn
44352ab9e5c-eec0-3148-8bd7-b6dd9e1be870Microsoft.Compute/virtualMachinesHighAvailabilityHighUse maintenance configurations for the VMsLearn
444df0ff862-814d-45a3-95e4-4fad5a244ba6Microsoft.Compute/virtualMachinesScalabilityHighMission Critical Workloads should consider using Premium or Ultra DisksLearn
445302fda08-ee65-4fbe-a916-6dc0b33169c4Microsoft.Compute/virtualMachinesHighAvailabilityHighReserve Compute Capacity for critical workloadsLearn
446vmss-003Microsoft.Compute/virtualMachineScaleSetsHighAvailabilityHighVirtual Machine should have a SLALearn
447vmss-004Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set Name should comply with naming conventionsLearn
448vmss-005Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set should have tagsLearn
449e7495e1c-0c75-0946-b266-b429b5c7f3bfMicrosoft.Compute/virtualMachineScaleSetsScalabilityMediumDeploy VMSS with Flex orchestration mode instead of UniformLearn
450820f4743-1f94-e946-ae0b-45efafd87962Microsoft.Compute/virtualMachineScaleSetsHighAvailabilityHighEnable Automatic Repair Policy on Azure Virtual Machine Scale SetsLearn
4511422c567-782c-7148-ac7c-5fc14cf45adcMicrosoft.Compute/virtualMachineScaleSetsHighAvailabilityHighDeploy VMSS across availability zones with VMSS FlexLearn
452e4ffd7b0-ba24-c84e-9352-ba4819f908c0Microsoft.Compute/virtualMachineScaleSetsOtherBestPracticesLowSet Patch orchestration options to Azure-orchestratedLearn
45394794d2a-eff0-2345-9b67-6f9349d0a627Microsoft.Compute/virtualMachineScaleSetsMonitoringAndAlertingMediumEnable Azure Virtual Machine Scale Set Application Health MonitoringLearn
454ee66ff65-9aa3-2345-93c1-25827cf79f44Microsoft.Compute/virtualMachineScaleSetsScalabilityHighConfigure VMSS Autoscale to custom and configure the scaling metricsLearn
4553f85a51c-e286-9f44-b4dc-51d00768696cMicrosoft.Compute/virtualMachineScaleSetsScalabilityLowEnable Predictive autoscale and configure at least for Forecast OnlyLearn
456b5a63aa0-c58e-244f-b8a6-cbba0560a6dbMicrosoft.Compute/virtualMachineScaleSetsHighAvailabilityHighDisable Force strictly even balance across zones to avoid scale in and out fail attemptsLearn
457vnet-001Microsoft.Network/virtualNetworksMonitoringAndAlertingLowVirtual Network should have diagnostic settings enabledLearn
458vnet-006Microsoft.Network/virtualNetworksGovernanceLowVirtual Network Name should comply with naming conventionsLearn
459vnet-007Microsoft.Network/virtualNetworksGovernanceLowVirtual Network should have tagsLearn
460vnet-009Microsoft.Network/virtualNetworksHighAvailabilityHighVirtual Network should have at least two DNS servers assignedLearn
461f0bf9ae6-25a5-974d-87d5-025abec73539Microsoft.Network/virtualNetworksSecurityLowAll Subnets should have a Network Security Group associatedLearn
46269ea1185-19b7-de40-9da1-9e8493547a5cMicrosoft.Network/virtualNetworksSecurityHighShield public endpoints in Azure VNets with Azure DDoS Standard Protection PlansLearn
46324ae3773-cc2c-3649-88de-c9788e25b463Microsoft.Network/virtualNetworksSecurityMediumWhen available, use Private Endpoints instead of Service Endpoints for PaaS ServicesLearn
46406b77be9-56a3-4d41-b362-8b295c5a283dMicrosoft.Network/virtualNetworksMonitoringAndAlertingMediumEnable Virtual Network Flow LogsLearn
465vwa-001Microsoft.Network/virtualWansMonitoringAndAlertingMediumVirtual WAN should have diagnostic settings enabledLearn
466vwa-002Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN should have availability zones enabledLearn
467vwa-003Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN should have a SLALearn
468vwa-005Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN TypeLearn
469vwa-006Microsoft.Network/virtualWansGovernanceLowVirtual WAN Name should comply with naming conventionsLearn
470vwa-007Microsoft.Network/virtualWansGovernanceLowVirtual WAN should have tagsLearn
471wps-001Microsoft.SignalRService/webPubSubMonitoringAndAlertingLowWeb Pub Sub should have diagnostic settings enabledLearn
472wps-002Microsoft.SignalRService/webPubSubHighAvailabilityHighWeb Pub Sub should have availability zones enabledLearn
473wps-003Microsoft.SignalRService/webPubSubHighAvailabilityHighWeb Pub Sub should have a SLALearn
474wps-004Microsoft.SignalRService/webPubSubSecurityHighWeb Pub Sub should have private endpoints enabledLearn
475wps-006Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub Name should comply with naming conventionsLearn
476wps-007Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub should have tagsLearn

5 - Related Projects

Azure Quick Review compared to APRL, Azure Review Checklists and PSRule.Rules.Azure

AZQR and APRL

As of version 2.0.0-preview, Azure Quick Review (azqr) includes all Azure Resource Graph queries provided by the the Azure Proactive Resiliency Library (APRL), which are used to identify non-compliant resources.

Azure Quick Review (azqr) extends APRL by providing per service instance SLAs, Diagnostic Settings detection and more. Therefore, scan results display AZQR or APRL, to indicate the source of the recommendation.

APRL provides a curated catalog of resiliency recommendations for workloads running in Azure. Many of the recommendations contain supporting Azure Resource Graph (ARG) queries

AZQR compared to Azure Review Checklists and PSRule.Rules.Azure

Azure Quick Review (azqr) was created to address a very specific need we had back in 2022. Initially, we had to run three assessments to get a clear picture of various solutions in terms of SLAs, use of Availability Zones, and Diagnostic Settings. At the time, we were not aware of the existence of the review-checklist or PSRule.Rules.Azure.

When some of our peers saw the assessments we were able to deliver with the early bits of Azure Quick Review (azqr), they asked us to add more checks (recommendations) and change the output format from markdown to Excel.

As many of our customers work in restrictive environments, the ability to run a self-contained, cross-platform binary while using read-only permissions became a key feature.

Moving forward to 2023, based on great feedback from both peers and customers, we moved the original repo to the Azure organization, added support for more services, fixed some issues and even added a Power BI template.

In August 2024, we added all APRL recommendations to Azure Quick Review (azqr) and removed duplicates in favor of the ones already available as Azure Resource Graph queries.

When compared with PSRule.Rules.Azure, Azure Quick Review (azqr) only scans deployed Azure resources and provides recommendations based on the current state. Azure Quick Review (azqr) does not scan ARM templates or Bicep files.

When compared to the review-checklist, Azure Quick Review (azqr) also provides an actionable list of more than 400 recommendations (70+ Azure resource types), that can be used to improve the resiliency of your Azure solutions.

6 - Troubleshooting & Support

Troubleshooting & Support

If you encounter any issue while using Azure Quick Review (azqr), please set the AZURE_SDK_GO_LOGGING environment variable to all, run the tool with the --debug flag and then share the console output with us by filing a new issue.

Support

This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please check our troubleshooting guide.

Please search the existing issues before filing new issues to avoid duplicates.

  • For new issues, file your bug or feature request as a new issue.
  • For help, discussion, and support questions about using this project, join or start a discussion.

Support for this project / product is limited to the resources listed above.

7 - Resources & References

Check out other resources and references

Microsoft Documentation

8 - Contribution Guidelines

How to contribute to the project

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.