This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Azure Quick Review

1: Overview

2: Usage

3: Install

4: Recommendations

5: Related Projects

6: Troubleshooting & Support

7: Resources & References

8: Contribution Guidelines

Azure Quick Review! — Analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Azure Quick Review (azqr) is a command-line interface (CLI) tool specifically designed to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations. Its primary purpose is to provide users with a detailed overview of their Azure resources, enabling them to easily identify any non-compliant configurations or potential areas for improvement.

1 - Overview

Azure Quick Review — Analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Azure Quick Review (azqr) is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure’s best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.

Azure Quick Review Recommendations

Azure Quick Review (azqr) scans your resources with 2 types of recommendations:

Azure Resource Graph (ARG) queries provided by the Azure Proactive Resiliency Library v2 (APRL) project.
Azure Resource Manager (ARM) queries built with the Golang SDK

To learn more about the recommendations used by Azure Quick Review (azqr), you can refer to the documentation available here.

Scan Results

The output generated by Azure Quick Review (azqr) is written by default to an Excel file, which contains the following sheets:

Recommendations: a list with all recommendations with the number of resources that are impacted. You can youse this table as an action plan to improve the compliance of your resources.
ImpactedResources: a list with all resources that are impacted. You can use this table to identify resources that have issues that need to be addressed.
ResourceTypes: a list of impacted resource types.
Inventory: a list of all resources scanned by the tool. Here you’ll find details such as SKU, Tier, Kind or calculated SLA.
Advisor: a list of recommendations provided by Azure Advisor.
Defender: a list of Microsoft Defender for Cloud plans and their tiers.
Costs: a list of costs associated with the scanned subscription for the last 3 months.

By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the --mask=false flag when executing the tool.

Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the --csv flag when running the tool.

A Power BI template is also available to help you visualize the results generated by Azure Quick Review. You can create the template running Azure Quick Review with the pbi command and then loading the excel file generated by the tool.

Supported Azure Services

Azure Quick Review (azqr) currently supports the following Azure services:

Microsoft.AVS/privateClouds
Microsoft.AnalysisServices/servers
Microsoft.ApiManagement/service
Microsoft.App/containerApps
Microsoft.App/managedenvironments
Microsoft.AppConfiguration/configurationStores
Microsoft.Automation/automationAccounts
Microsoft.Batch/batchAccounts
Microsoft.Cache/Redis
Microsoft.Cdn/profiles
Microsoft.CognitiveServices/accounts
Microsoft.Compute/galleries
Microsoft.Compute/virtualMachineScaleSets
Microsoft.Compute/virtualMachines
Microsoft.ContainerInstance/containerGroups
Microsoft.ContainerRegistry/registries
Microsoft.ContainerService/managedClusters
Microsoft.DBforMariaDB/servers
Microsoft.DBforMariaDB/servers/databases
Microsoft.DBforMySQL/flexibleServers
Microsoft.DBforMySQL/servers
Microsoft.DBforPostgreSQL/flexibleServers
Microsoft.DBforPostgreSQL/servers
Microsoft.Dashboard/grafana
Microsoft.DataFactory/factories
Microsoft.Databricks/workspaces
Microsoft.DesktopVirtualization/hostPools
Microsoft.DesktopVirtualization/scalingPlans
Microsoft.DesktopVirtualization/workspaces
Microsoft.Devices/IotHubs
Microsoft.DocumentDB/databaseAccounts
Microsoft.EventGrid/domains
Microsoft.EventHub/namespaces
Microsoft.Insights/activityLogAlerts
Microsoft.Insights/components
Microsoft.KeyVault/vaults
Microsoft.Kusto/clusters
Microsoft.Logic/workflows
Microsoft.NetApp/netAppAccounts
Microsoft.Network/ExpressRoutePorts
Microsoft.Network/applicationGateways
Microsoft.Network/azureFirewalls
Microsoft.Network/connections
Microsoft.Network/expressRouteCircuits
Microsoft.Network/frontdoorWebApplicationFirewallPolicies
Microsoft.Network/loadBalancers
Microsoft.Network/natGateways
Microsoft.Network/networkSecurityGroups
Microsoft.Network/networkWatcherScanners
Microsoft.Network/privateDnsZones
Microsoft.Network/privateEndpoints
Microsoft.Network/publicIPAddresses
Microsoft.Network/routeTables
Microsoft.Network/trafficManagerProfiles
Microsoft.Network/virtualNetworkGateways
Microsoft.Network/virtualNetworks
Microsoft.OperationalInsights/workspaces
Microsoft.RecoveryServices/vaults
Microsoft.ServiceBus/namespaces
Microsoft.SignalRService/SignalR
Microsoft.SignalRService/webPubSub
Microsoft.Sql/servers
Microsoft.Sql/servers/databases
Microsoft.Sql/servers/elasticPools
Microsoft.Storage/storageAccounts
Microsoft.Synapse workspaces/bigDataPools
Microsoft.Synapse/workspaces
Microsoft.Synapse/workspaces/sqlPools
Microsoft.VirtualMachineImages/imageTemplates
Microsoft.Web/serverFarms
Microsoft.Web/sites
Specialized.Workload/AVD
Specialized.Workload/AVS
Specialized.Workload/HPC
Specialized.Workload/SAP

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct

Trademark Notice

Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.

2 - Usage

Use Azure Quick Review — to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Authentication

Azure Quick Review (azqr) supports the following authentication methods:

Service Principal. You’ll need to set the following environment variables:
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- AZURE_TENANT_ID
Azure Managed Identity
Azure CLI (Using this type of authentication will make scans run slower)

Authorization

Azure Quick Review (azqr) requires the following permissions:

Subscription Reader

Running the Scan

To scan all resource groups in all subscription run:

./azqr scan

To scan all resource groups in a specific subscription run:

./azqr scan -s <subscription_id>

To scan a specific resource group in a specific subscription run:

./azqr scan -s <subscription_id> -g <resource_group_name>

For information on available commands and help run:

./azqr -h

Filtering Recommendations and more

You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:

azqr:
  include:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
  exclude:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    services:
      - <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
    recommendations:
      - <recommendation_id> # format: <recommendation_id>

Then run the scan with the --filters flag:

./azqr scan --filters <path_to_yaml_file>

Check the rules to get the recommendation ids.

3 - Install

Learn how to install Azure Quick Review (azqr)

Install on Linux or Azure Cloud Shell

latest_azqr=$(curl -sL https://api.github.com/repos/Azure/azqr/releases/latest | jq -r ".tag_name" | cut -c1-)
wget https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-ubuntu-latest-amd64 -O azqr
chmod +x azqr

Install on Windows

Use winget:

winget install azqr

or download the executable file:

$latest_azqr=$(iwr https://api.github.com/repos/Azure/azqr/releases/latest).content | convertfrom-json | Select-Object -ExpandProperty tag_name
iwr https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-windows-latest-amd64.exe -OutFile azqr.exe

Install on Mac

Use homebrew:

brew install azqr

or download the latest release from here.

4 - Recommendations

Recommendations

Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:

#	Id	Resource Type	Category	Impact	Recommendation	Learn
1	dbw-001	Microsoft.Databricks/workspaces	Monitoring and Alerting	Low	Azure Databricks should have diagnostic settings enabled	Learn
2	dbw-003	Microsoft.Databricks/workspaces	High Availability	High	Azure Databricks should have a SLA	Learn
3	dbw-004	Microsoft.Databricks/workspaces	Security	High	Azure Databricks should have private endpoints enabled	Learn
4	dbw-006	Microsoft.Databricks/workspaces	Governance	Low	Azure Databricks Name should comply with naming conventions	Learn
5	dbw-007	Microsoft.Databricks/workspaces	Security	Medium	Azure Databricks should have the Public IP disabled	Learn
6	adf-001	Microsoft.DataFactory/factories	Monitoring and Alerting	Low	Azure Data Factory should have diagnostic settings enabled	Learn
7	adf-002	Microsoft.DataFactory/factories	Security	High	Azure Data Factory should have private endpoints enabled	Learn
8	adf-003	Microsoft.DataFactory/factories	High Availability	High	Azure Data Factory SLA	Learn
9	adf-004	Microsoft.DataFactory/factories	Governance	Low	Azure Data Factory Name should comply with naming conventions	Learn
10	adf-005	Microsoft.DataFactory/factories	Governance	Low	Azure Data Factory should have tags	Learn
11	afd-001	Microsoft.Cdn/profiles	Monitoring and Alerting	Low	Azure FrontDoor should have diagnostic settings enabled	Learn
12	afd-003	Microsoft.Cdn/profiles	High Availability	High	Azure FrontDoor SLA	Learn
13	afd-006	Microsoft.Cdn/profiles	Governance	Low	Azure FrontDoor Name should comply with naming conventions	Learn
14	afd-007	Microsoft.Cdn/profiles	Governance	Low	Azure FrontDoor should have tags	Learn
15	38f3d542-6de6-a44b-86c6-97e3be690281	Microsoft.Cdn/profiles	HighAvailability	Low	Disable health probes when there is only one origin in an origin group	Learn
16	d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1	Microsoft.Cdn/profiles	Security	High	Use end-to-end TLS	Learn
17	1bd2b7e8-400f-e64a-99a2-c572f7b08a62	Microsoft.Cdn/profiles	Security	Medium	Enable the WAF	Learn
18	24ab9f11-a3e4-3043-a985-22cf94c4933a	Microsoft.Cdn/profiles	Security	High	Use HTTP to HTTPS redirection	Learn
19	afw-001	Microsoft.Network/azureFirewalls	Monitoring and Alerting	Low	Azure Firewall should have diagnostic settings enabled	Learn
20	afw-003	Microsoft.Network/azureFirewalls	High Availability	High	Azure Firewall SLA	Learn
21	afw-006	Microsoft.Network/azureFirewalls	Governance	Low	Azure Firewall Name should comply with naming conventions	Learn
22	afw-007	Microsoft.Network/azureFirewalls	Governance	Low	Azure Firewall should have tags	Learn
23	c72b7fee-1fa0-5b4b-98e5-54bcae95bb74	Microsoft.Network/azureFirewalls	HighAvailability	High	Deploy Azure Firewall across multiple availability zones	Learn
24	3c8fa7c6-6b78-a24a-a63f-348a7c71acb9	Microsoft.Network/azureFirewalls	MonitoringAndAlerting	High	Monitor Azure Firewall metrics	Learn
25	1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d	Microsoft.Network/azureFirewalls	Security	High	Configure DDoS Protection on the Azure Firewall VNet	Learn
26	agw-005	Microsoft.Network/applicationGateways	Monitoring and Alerting	Low	Application Gateway: Monitor and Log the configurations and traffic	Learn
27	agw-103	Microsoft.Network/applicationGateways	High Availability	High	Application Gateway SLA	Learn
28	agw-105	Microsoft.Network/applicationGateways	Governance	Low	Application Gateway Name should comply with naming conventions	Learn
29	agw-106	Microsoft.Network/applicationGateways	Governance	Low	Application Gateway should have tags	Learn
30	233a7008-71e9-e745-923e-1a1c7a0b92f3	Microsoft.Network/applicationGateways	Security	High	Secure all incoming connections with SSL	Learn
31	8d9223c4-730d-ca47-af88-a9a024c37270	Microsoft.Network/applicationGateways	Security	Low	Enable Web Application Firewall policies	Learn
32	8364fd0a-7c0e-e240-9d95-4bf965aec243	Microsoft.Network/applicationGateways	OtherBestPractices	High	Ensure Application Gateway Subnet is using a /24 subnet mask	Learn
33	823b0cff-05c0-2e4e-a1e7-9965e1cfa16f	Microsoft.Network/applicationGateways	Scalability	Medium	Ensure Autoscale feature has been enabled	Learn
34	7893f0b3-8622-1d47-beed-4b50a19f7895	Microsoft.Network/applicationGateways	Scalability	High	Migrate to Application Gateway v2	Learn
35	847a8d88-21c4-bc48-a94e-562206edd767	Microsoft.Network/applicationGateways	MonitoringAndAlerting	High	Use Health Probes to detect backend availability	Learn
36	c9c00f2a-3888-714b-a72b-b4c9e8fcffb2	Microsoft.Network/applicationGateways	HighAvailability	High	Deploy Application Gateway in a zone-redundant configuration	Learn
37	10f02bc6-e2e7-004d-a2c2-f9bf9f16b915	Microsoft.Network/applicationGateways	HighAvailability	Medium	Plan for backend maintenance by using connection draining	Learn
38	aks-001	Microsoft.ContainerService/managedClusters	Monitoring and Alerting	Low	AKS Cluster should have diagnostic settings enabled	Learn
39	aks-003	Microsoft.ContainerService/managedClusters	High Availability	High	AKS Cluster should have an SLA	Learn
40	aks-004	Microsoft.ContainerService/managedClusters	Security	High	AKS Cluster should be private	Learn
41	aks-006	Microsoft.ContainerService/managedClusters	Governance	Low	AKS Name should comply with naming conventions	Learn
42	aks-007	Microsoft.ContainerService/managedClusters	Security	Medium	AKS should integrate authentication with AAD (Managed)	Learn
43	aks-008	Microsoft.ContainerService/managedClusters	Security	Medium	AKS should be RBAC enabled.	Learn
44	aks-010	Microsoft.ContainerService/managedClusters	Security	Medium	AKS should have httpApplicationRouting disabled	Learn
45	aks-012	Microsoft.ContainerService/managedClusters	Security	High	AKS should have outbound type set to user defined routing	Learn
46	aks-015	Microsoft.ContainerService/managedClusters	Governance	Low	AKS should have tags	Learn
47	aks-016	Microsoft.ContainerService/managedClusters	Scalability	Low	AKS Node Pools should have MaxSurge set	Learn
48	dcaf8128-94bd-4d53-9235-3a0371df6b74	Microsoft.ContainerService/managedClusters	MonitoringAndAlerting	High	Enable AKS Monitoring	Learn
49	5ee083cd-6ac3-4a83-8913-9549dd36cf56	Microsoft.ContainerService/managedClusters	HighAvailability	High	Isolate system and application pods	Learn
50	0611251f-e70f-4243-8ddd-cfe894bec2e7	Microsoft.ContainerService/managedClusters	HighAvailability	High	Update AKS tier to Standard or Premium	Learn
51	a7bfcc18-b0d8-4d37-81f3-8131ed8bead5	Microsoft.ContainerService/managedClusters	Scalability	Medium	Use Ephemeral OS disks on AKS clusters	Learn
52	c22db132-399b-4e7c-995d-577a60881be8	Microsoft.ContainerService/managedClusters	Scalability	Medium	Configure Azure CNI networking for dynamic allocation of IPs or use CNI overlay	Learn
53	269a9f1a-6675-460a-831e-b05a887a8c4b	Microsoft.ContainerService/managedClusters	DisasterRecovery	Low	Back up Azure Kubernetes Service	Learn
54	5f3cbd68-692a-4121-988c-9770914859a9	Microsoft.ContainerService/managedClusters	OtherBestPractices	Low	Enable GitOps when using DevOps frameworks	Learn
55	902c82ff-4910-4b61-942d-0d6ef7f39b67	Microsoft.ContainerService/managedClusters	Scalability	High	Enable the cluster auto-scaler on an existing cluster	Learn
56	26ebaf1f-c70d-4ebd-8641-4b60a0ce0094	Microsoft.ContainerService/managedClusters	Governance	Low	Enable and remediate Azure Policies configured for AKS	Learn
57	7f7ae535-a5ba-4665-b7e0-c451dbdda01f	Microsoft.ContainerService/managedClusters	HighAvailability	High	Configure system nodepool count	Learn
58	005ccbbd-aeab-46ef-80bd-9bd4479412ec	Microsoft.ContainerService/managedClusters	HighAvailability	High	Configure user nodepool count	Learn
59	e620fa98-7a40-41a0-bfc9-b4407297fb58	Microsoft.ContainerService/managedClusters	HighAvailability	High	Nodepool subnet size needs to accommodate maximum auto-scale settings	Learn
60	f46b0d1d-56ef-4795-b98a-f6ee00cb341a	Microsoft.ContainerService/managedClusters	HighAvailability	High	Use Azure Linux for Linux nodepools	Learn
61	4f63619f-5001-439c-bacb-8de891287727	Microsoft.ContainerService/managedClusters	HighAvailability	High	Deploy AKS cluster across availability zones	Learn
62	ca324d71-54b0-4a3e-b9e4-10e767daa9fc	Microsoft.ContainerService/managedClusters	Security	High	Disable local accounts	Learn
63	amg-001	Microsoft.Dashboard/managedGrafana	Governance	Low	Azure Managed Grafana name should comply with naming conventions	Learn
64	amg-002	Microsoft.Dashboard/managedGrafana	High Availability	High	Azure Managed Grafana SLA	Learn
65	amg-003	Microsoft.Dashboard/managedGrafana	Governance	Low	Azure Managed Grafana should have tags	Learn
66	amg-004	Microsoft.Dashboard/managedGrafana	Security	High	Azure Managed Grafana should disable public network access	Learn
67	amg-005	Microsoft.Dashboard/managedGrafana	High Availability	High	Azure Managed Grafana should have availability zones enabled	Learn
68	6cd57b65-ef84-4088-9ada-c0d8de74c2f7	Microsoft.Dashboard/grafana	HighAvailability	Medium	Enable zone redundancy in Managed Grafana	Learn
69	apim-001	Microsoft.ApiManagement/service	Monitoring and Alerting	Low	APIM should have diagnostic settings enabled	Learn
70	apim-003	Microsoft.ApiManagement/service	High Availability	High	APIM should have a SLA	Learn
71	apim-004	Microsoft.ApiManagement/service	Security	High	APIM should have private endpoints enabled	Learn
72	apim-006	Microsoft.ApiManagement/service	Governance	Low	APIM should comply with naming conventions	Learn
73	apim-007	Microsoft.ApiManagement/service	Governance	Low	APIM should have tags	Learn
74	apim-008	Microsoft.ApiManagement/service	Security	Medium	APIM should use Managed Identities	Learn
75	apim-009	Microsoft.ApiManagement/service	Security	High	APIM should only accept a minimum of TLS 1.2	Learn
76	apim-010	Microsoft.ApiManagement/service	Security	High	APIM should should not accept weak or deprecated ciphers.	Learn
77	apim-011	Microsoft.ApiManagement/service	Security	High	APIM: Renew expiring certificates	Learn
78	740f2c1c-8857-4648-80eb-47d2c56d5a50	Microsoft.ApiManagement/service	HighAvailability	High	Enable Availability Zones on Premium API Management instances	Learn
79	e35cf148-8eee-49d1-a1c9-956160f99e0b	Microsoft.ApiManagement/service	HighAvailability	High	Azure API Management platform version should be stv2	Learn
80	baf3bfc0-32a2-4c0c-926d-c9bf0b49808e	Microsoft.ApiManagement/service	HighAvailability	High	Migrate API Management services to Premium SKU to support Availability Zones	Learn
81	appcs-001	Microsoft.AppConfiguration/configurationStores	Monitoring and Alerting	Low	AppConfiguration should have diagnostic settings enabled	Learn
82	appcs-003	Microsoft.AppConfiguration/configurationStores	High Availability	High	AppConfiguration should have a SLA	Learn
83	appcs-004	Microsoft.AppConfiguration/configurationStores	Security	High	AppConfiguration should have private endpoints enabled	Learn
84	appcs-006	Microsoft.AppConfiguration/configurationStores	Governance	Low	AppConfiguration Name should comply with naming conventions	Learn
85	appcs-007	Microsoft.AppConfiguration/configurationStores	Governance	Low	AppConfiguration should have tags	Learn
86	appcs-008	Microsoft.AppConfiguration/configurationStores	Security	Medium	AppConfiguration should have local authentication disabled	Learn
87	bb4c8db4-f821-475b-b1ea-16e95358665e	Microsoft.AppConfiguration/configurationStores	Governance	Low	Enable Purge protection for Azure App Configuration	Learn
88	2102a57a-a056-4d5e-afe5-9df9f92177ca	Microsoft.AppConfiguration/configurationStores	HighAvailability	High	Upgrade to App Configuration Standard tier	Learn
89	appi-001	Microsoft.Insights/components	High Availability	High	Azure Application Insights SLA	Learn
90	appi-002	Microsoft.Insights/components	Governance	Low	Azure Application Insights Name should comply with naming conventions	Learn
91	appi-003	Microsoft.Insights/components	Governance	Low	Azure Application Insights should have tags	Learn
92	dac421ec-2832-4c37-839e-b6dc5a38f2fa	Microsoft.Insights/components	ServiceUpgradeAndRetirement	Medium	Convert Classic Deployments	Learn
93	as-001	Microsoft.AnalysisServices/servers	Monitoring and Alerting	Low	Azure Analysis Service should have diagnostic settings enabled	Learn
94	as-002	Microsoft.AnalysisServices/servers	High Availability	High	Azure Analysis Service should have a SLA	Learn
95	as-004	Microsoft.AnalysisServices/servers	Governance	Low	Azure Analysis Service Name should comply with naming conventions	Learn
96	as-005	Microsoft.AnalysisServices/servers	Governance	Low	Azure Analysis Service should have tags	Learn
97	4232eb32-3241-4049-9e14-9b8005817b56	Microsoft.AVS/privateClouds	MonitoringAndAlerting	High	Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization	Learn
98	029208c8-5186-4a76-8ee8-6e3445fef4dd	Microsoft.AVS/privateClouds	MonitoringAndAlerting	High	Monitor Memory Utilization to ensure sufficient resources for workloads	Learn
99	74fcb9f2-9a25-49a6-8c42-d32851c4afb7	Microsoft.AVS/privateClouds	MonitoringAndAlerting	High	Configure Azure Service Health notifications and alerts for Azure VMware Solution	Learn
100	9ec5b4c8-3dd8-473a-86ee-3273290331b9	Microsoft.AVS/privateClouds	HighAvailability	Low	Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore	Learn
101	4ee5d535-c47b-470a-9557-4a3dd297d62f	Microsoft.AVS/privateClouds	MonitoringAndAlerting	High	Monitor CPU Utilization to ensure sufficient resources for workloads	Learn
102	cae-001	Microsoft.App/managedenvironments	Monitoring and Alerting	Low	Container Apps Environment should have diagnostic settings enabled	Learn
103	cae-003	Microsoft.App/managedenvironments	High Availability	High	Container Apps Environment should have a SLA	Learn
104	cae-004	Microsoft.App/managedenvironments	Security	High	Container Apps Environment should have private endpoints enabled	Learn
105	cae-006	Microsoft.App/managedenvironments	Governance	Low	Container Apps Environment Name should comply with naming conventions	Learn
106	cae-007	Microsoft.App/managedenvironments	Governance	Low	Container Apps Environment should have tags	Learn
107	f4201965-a88d-449d-b3b4-021394719eb2	Microsoft.App/managedenvironments	HighAvailability	High	Deploy zone redundant Container app environments	Learn
108	ca-003	Microsoft.App/containerApps	High Availability	High	ContainerApp should have a SLA	Learn
109	ca-006	Microsoft.App/containerApps	Governance	Low	ContainerApp Name should comply with naming conventions	Learn
110	ca-007	Microsoft.App/containerApps	Governance	Low	ContainerApp should have tags	Learn
111	ca-008	Microsoft.App/containerApps	Security	Low	ContainerApp should not allow insecure ingress traffic	Learn
112	ca-009	Microsoft.App/containerApps	Security	Low	ContainerApp should use Managed Identities	Learn
113	ca-010	Microsoft.App/containerApps	High Availability	Low	ContainerApp should use Azure Files to persist container data	Learn
114	ca-011	Microsoft.App/containerApps	High Availability	Low	ContainerApp should avoid using session affinity	Learn
115	ci-002	Microsoft.ContainerInstance/containerGroups	High Availability	High	ContainerInstance should have availability zones enabled	Learn
116	ci-003	Microsoft.ContainerInstance/containerGroups	High Availability	High	ContainerInstance should have a SLA	Learn
117	ci-004	Microsoft.ContainerInstance/containerGroups	Security	High	ContainerInstance should use private IP addresses	Learn
118	ci-006	Microsoft.ContainerInstance/containerGroups	Governance	Low	ContainerInstance Name should comply with naming conventions	Learn
119	ci-007	Microsoft.ContainerInstance/containerGroups	Governance	Low	ContainerInstance should have tags	Learn
120	cog-001	Microsoft.CognitiveServices/accounts	Monitoring and Alerting	Low	Cognitive Service Account should have diagnostic settings enabled	Learn
121	cog-003	Microsoft.CognitiveServices/accounts	High Availability	High	Cognitive Service Account should have a SLA	Learn
122	cog-004	Microsoft.CognitiveServices/accounts	Security	High	Cognitive Service Account should have private endpoints enabled	Learn
123	cog-006	Microsoft.CognitiveServices/accounts	Governance	Low	Cognitive Service Account Name should comply with naming conventions	Learn
124	cog-007	Microsoft.CognitiveServices/accounts	Governance	Low	Cognitive Service Account should have tags	Learn
125	cog-008	Microsoft.CognitiveServices/accounts	Security	Medium	Cognitive Service Account should have local authentication disabled	Learn
126	d6d9e18a-9ad2-491e-878d-86d621785453	Microsoft.CognitiveServices/Accounts	MonitoringAndAlerting	Low	Enable diagnostic logging for Azure AI services and send the data to Log Analytics	Learn
127	f6a14b32-a727-4ace-b5fa-7b1c6bdff402	Microsoft.Network/connections	Scalability	Medium	For better data path performance enable FastPath on ExpressRoute Connections	Learn
128	cosmos-001	Microsoft.DocumentDB/databaseAccounts	Monitoring and Alerting	Low	CosmosDB should have diagnostic settings enabled	Learn
129	cosmos-002	Microsoft.DocumentDB/databaseAccounts	High Availability	High	CosmosDB should have availability zones enabled	Learn
130	cosmos-003	Microsoft.DocumentDB/databaseAccounts	High Availability	High	CosmosDB should have a SLA	Learn
131	cosmos-004	Microsoft.DocumentDB/databaseAccounts	Security	High	CosmosDB should have private endpoints enabled	Learn
132	cosmos-006	Microsoft.DocumentDB/databaseAccounts	Governance	Low	CosmosDB Name should comply with naming conventions	Learn
133	cosmos-007	Microsoft.DocumentDB/databaseAccounts	Governance	Low	CosmosDB should have tags	Learn
134	cosmos-008	Microsoft.DocumentDB/databaseAccounts	Security	High	CosmosDB should have local authentication disabled	Learn
135	cosmos-009	Microsoft.DocumentDB/databaseAccounts	Security	High	CosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keys	Learn
136	921631f6-ed59-49a5-94c1-f0f3ececa580	Microsoft.DocumentDB/databaseAccounts	HighAvailability	High	Enable availability zones	Learn
137	9ce78192-74a0-104c-b5bb-9a443f941649	Microsoft.DocumentDB/databaseAccounts	HighAvailability	High	Evaluate multi-region write capability	Learn
138	e544520b-8505-7841-9e77-1f1974ee86ec	Microsoft.DocumentDB/databaseAccounts	DisasterRecovery	High	Configure continuous backup mode	Learn
139	43663217-a1d3-844b-80ea-571a2ce37c6c	Microsoft.DocumentDB/databaseAccounts	HighAvailability	High	Configure at least two regions for high availability	Learn
140	9cabded7-a1fc-6e4a-944b-d7dd98ea31a2	Microsoft.DocumentDB/databaseAccounts	DisasterRecovery	High	Enable service-managed failover for multi-region accounts with single write region	Learn
141	cr-001	Microsoft.ContainerRegistry/registries	Monitoring and Alerting	Low	ContainerRegistry should have diagnostic settings enabled	Learn
142	cr-003	Microsoft.ContainerRegistry/registries	High Availability	High	ContainerRegistry should have a SLA	Learn
143	cr-004	Microsoft.ContainerRegistry/registries	Security	High	ContainerRegistry should have private endpoints enabled	Learn
144	cr-006	Microsoft.ContainerRegistry/registries	Governance	Low	ContainerRegistry Name should comply with naming conventions	Learn
145	cr-008	Microsoft.ContainerRegistry/registries	Security	Medium	ContainerRegistry should have the Administrator account disabled	Learn
146	cr-009	Microsoft.ContainerRegistry/registries	Governance	Low	ContainerRegistry should have tags	Learn
147	cr-010	Microsoft.ContainerRegistry/registries	Governance	Medium	ContainerRegistry should use retention policies	Learn
148	63491f70-22e4-3b4a-8b0c-845450e46fac	Microsoft.ContainerRegistry/registries	HighAvailability	Medium	Enable zone redundancy	Learn
149	36ea6c09-ef6e-d743-9cfb-bd0c928a430b	Microsoft.ContainerRegistry/registries	DisasterRecovery	High	Create container registries with geo-replication enabled	Learn
150	e7f0fd54-fba0-054e-9ab8-e676f2851f88	Microsoft.ContainerRegistry/registries	DisasterRecovery	Low	Enable soft delete policy	Learn
151	eb005943-40a8-194b-9db2-474d430046b7	Microsoft.ContainerRegistry/registries	Scalability	High	Use Premium tier for critical production workloads	Learn
152	8e389532-5db5-7e4c-9d4d-443b3e55ae82	Microsoft.ContainerRegistry/registries	Governance	Low	Move Container Registry to a dedicated resource group	Learn
153	3ef86f16-f65b-c645-9901-7830d6dc3a1b	Microsoft.ContainerRegistry/registries	Scalability	Medium	Manage registry size	Learn
154	03f4a7d8-c5b4-7842-8e6e-14997a34842b	Microsoft.ContainerRegistry/registries	Security	Medium	Disable anonymous pull access	Learn
155	dec-001	Microsoft.Kusto/clusters	Monitoring and Alerting	Low	Azure Data Explorer should have diagnostic settings enabled	Learn
156	dec-002	Microsoft.Kusto/clusters	High Availability	High	Azure Data Explorer SLA	Learn
157	dec-003	Microsoft.Kusto/clusters	High Availability	High	Azure Data Explorer Production Cluster should not use Dev SKU	Learn
158	dec-004	Microsoft.Kusto/clusters	Governance	Low	Azure Data Explorer Name should comply with naming conventions	Learn
159	dec-005	Microsoft.Kusto/clusters	Governance	Low	Azure Data Explorer should have tags	Learn
160	dec-008	Microsoft.Kusto/clusters	Security	High	Azure Data Explorer should use Disk Encryption	Learn
161	dec-009	Microsoft.Kusto/clusters	Security	Low	Azure Data Explorer should use Managed Identities	Learn
162	3263a64a-c256-de48-9818-afd3cbc55c2a	Microsoft.Compute/disks	OtherBestPractices	Medium	Shared disks should only be enabled in clustered servers	Learn
163	fa0cf4f5-0b21-47b7-89a9-ee936f193ce1	Microsoft.Compute/disks	HighAvailability	Medium	Use Azure Disks with Zone Redundant Storage for higher resiliency and availability	Learn
164	d40c769d-2f08-4980-8d8f-a386946276e6	Microsoft.Network/expressRouteCircuits	Scalability	Medium	Implement rate-limiting across ExpressRoute Direct Circuits to optimize network flow	Learn
165	60077378-7cb1-4b35-89bb-393884d9921d	Microsoft.Network/ExpressRoutePorts	HighAvailability	High	The Admin State of both Links of an ExpressRoute Direct should be in Enabled state	Learn
166	0bee356b-7348-4799-8cab-0c71ffe13018	Microsoft.Network/ExpressRoutePorts	Scalability	High	Ensure you do not over-subscribe an ExpressRoute Direct	Learn
167	evgd-001	Microsoft.EventGrid/domains	Monitoring and Alerting	Low	Event Grid Domain should have diagnostic settings enabled	Learn
168	evgd-003	Microsoft.EventGrid/domains	High Availability	High	Event Grid Domain should have a SLA	Learn
169	evgd-004	Microsoft.EventGrid/domains	Security	High	Event Grid Domain should have private endpoints enabled	Learn
170	evgd-006	Microsoft.EventGrid/domains	Governance	Low	Event Grid Domain Name should comply with naming conventions	Learn
171	evgd-007	Microsoft.EventGrid/domains	Governance	Low	Event Grid Domain should have tags	Learn
172	evgd-008	Microsoft.EventGrid/domains	Security	Medium	Event Grid Domain should have local authentication disabled	Learn
173	evh-001	Microsoft.EventHub/namespaces	Monitoring and Alerting	Low	Event Hub Namespace should have diagnostic settings enabled	Learn
174	evh-003	Microsoft.EventHub/namespaces	High Availability	High	Event Hub Namespace should have a SLA	Learn
175	evh-004	Microsoft.EventHub/namespaces	Security	High	Event Hub Namespace should have private endpoints enabled	Learn
176	evh-006	Microsoft.EventHub/namespaces	Governance	Low	Event Hub Namespace Name should comply with naming conventions	Learn
177	evh-007	Microsoft.EventHub/namespaces	Governance	Low	Event Hub should have tags	Learn
178	evh-008	Microsoft.EventHub/namespaces	Security	Medium	Event Hub should have local authentication disabled	Learn
179	84636c6c-b317-4722-b603-7b1ffc16384b	Microsoft.EventHub/namespaces	HighAvailability	High	Ensure zone redundancy is enabled in supported regions	Learn
180	fbfef3df-04a5-41b2-a8fd-b8541eb04956	Microsoft.EventHub/namespaces	Scalability	High	Enable auto-inflate on Event Hub Standard tier	Learn
181	it-006	Microsoft.VirtualMachineImages/imageTemplates	Governance	Low	Image Template Name should comply with naming conventions	Learn
182	it-007	Microsoft.VirtualMachineImages/imageTemplates	Governance	Low	Image Template should have tags	Learn
183	21fb841b-ba70-1f4e-a460-1f72fb41aa51	Microsoft.VirtualMachineImages/imageTemplates	DisasterRecovery	Low	Replicate your Image Templates to a secondary region	Learn
184	e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e	Microsoft.Devices/IotHubs	MonitoringAndAlerting	Low	Disabled Fallback Route	Learn
185	eeba3a49-fef0-481f-a471-7ff01139b474	Microsoft.Devices/IotHubs	HighAvailability	High	Do not use free tier	Learn
186	b1e1378d-4572-4414-bebd-b8872a6d4d1c	Microsoft.Devices/IotHubs	Scalability	High	Use Device Provisioning Service	Learn
187	b49a39fd-f431-4b61-9062-f2157849d845	Microsoft.Compute/galleries	HighAvailability	Medium	A minimum of three replicas should be kept for production image versions	Learn
188	488dcc8b-f2e3-40ce-bf95-73deb2db095f	Microsoft.Compute/galleries	HighAvailability	Medium	Zone redundant storage should be used for image versions	Learn
189	1c5e1e58-4e56-491c-8529-10f37af9d4ed	Microsoft.Compute/galleries	HighAvailability	Low	Consider creating TrustedLaunchSupported images where possible	Learn
190	kv-001	Microsoft.KeyVault/vaults	Monitoring and Alerting	Low	Key Vault should have diagnostic settings enabled	Learn
191	kv-003	Microsoft.KeyVault/vaults	High Availability	High	Key Vault should have a SLA	Learn
192	kv-006	Microsoft.KeyVault/vaults	Governance	Low	Key Vault Name should comply with naming conventions	Learn
193	kv-007	Microsoft.KeyVault/vaults	Governance	Low	Key Vault should have tags	Learn
194	1cca00d2-d9ab-8e42-a788-5d40f49405cb	Microsoft.KeyVault/vaults	DisasterRecovery	High	Key vaults should have soft delete enabled	Learn
195	70fcfe6d-00e9-5544-a63a-fff42b9f2edb	Microsoft.KeyVault/vaults	DisasterRecovery	Medium	Key vaults should have purge protection enabled	Learn
196	00c3d2b0-ea6e-4c4b-89be-b78a35caeb51	Microsoft.KeyVault/vaults	Security	Medium	Private endpoint should be configured for Key Vault	Learn
197	lb-001	Microsoft.Network/loadBalancers	Monitoring and Alerting	Low	Load Balancer should have diagnostic settings enabled	Learn
198	lb-003	Microsoft.Network/loadBalancers	High Availability	High	Load Balancer should have a SLA	Learn
199	lb-006	Microsoft.Network/loadBalancers	Governance	Low	Load Balancer Name should comply with naming conventions	Learn
200	lb-007	Microsoft.Network/loadBalancers	Governance	Low	Load Balancer should have tags	Learn
201	e5f5fcea-f925-4578-8599-9a391e888a60	Microsoft.Network/loadBalancers	MonitoringAndAlerting	High	Use Health Probes to detect backend instances availability	Learn
202	38c3bca1-97a1-eb42-8cd3-838b243f35ba	Microsoft.Network/loadBalancers	HighAvailability	High	Use Standard Load Balancer SKU	Learn
203	6d82d042-6d61-ad49-86f0-6a5455398081	Microsoft.Network/loadBalancers	HighAvailability	High	Ensure the Backend Pool contains at least two instances	Learn
204	8d319a05-677b-944f-b9b4-ca0fb42e883c	Microsoft.Network/loadBalancers	HighAvailability	Medium	Use NAT Gateway instead of Outbound Rules for Production Workloads	Learn
205	621dbc78-3745-4d32-8eac-9e65b27b7512	Microsoft.Network/loadBalancers	HighAvailability	High	Ensure Standard Load Balancer is zone-redundant	Learn
206	log-003	Microsoft.OperationalInsights/workspaces	High Availability	High	Log Analytics Workspace SLA	Learn
207	log-006	Microsoft.OperationalInsights/workspaces	Governance	Low	Log Analytics Workspace Name should comply with naming conventions	Learn
208	log-007	Microsoft.OperationalInsights/workspaces	Governance	Low	Log Analytics Workspace should have tags	Learn
209	logic-001	Microsoft.Logic/workflows	Monitoring and Alerting	Low	Logic App should have diagnostic settings enabled	Learn
210	logic-003	Microsoft.Logic/workflows	High Availability	High	Logic App should have a SLA	Learn
211	logic-004	Microsoft.Logic/workflows	Security	High	Logic App should limit access to Http Triggers	Learn
212	logic-006	Microsoft.Logic/workflows	Governance	Low	Logic App Name should comply with naming conventions	Learn
213	logic-007	Microsoft.Logic/workflows	Governance	Low	Logic App should have tags	Learn
214	maria-001	Microsoft.DBforMariaDB/servers	Monitoring and Alerting	Low	MariaDB should have diagnostic settings enabled	Learn
215	maria-002	Microsoft.DBforMariaDB/servers	Security	High	MariaDB should have private endpoints enabled	Learn
216	maria-003	Microsoft.DBforMariaDB/servers	Governance	Low	MariaDB server Name should comply with naming conventions	Learn
217	maria-004	Microsoft.DBforMariaDB/servers	High Availability	High	MariaDB server should have a SLA	Learn
218	maria-005	Microsoft.DBforMariaDB/servers	Governance	Low	MariaDB should have tags	Learn
219	maria-006	Microsoft.DBforMariaDB/servers	Security	Low	MariaDB should enforce TLS >= 1.2	Learn
220	mysqlf-001	Microsoft.DBforMySQL/flexibleServers	Monitoring and Alerting	Low	Azure Database for MySQL - Flexible Server should have diagnostic settings enabled	Learn
221	mysqlf-003	Microsoft.DBforMySQL/flexibleServers	High Availability	High	Azure Database for MySQL - Flexible Server should have a SLA	Learn
222	mysqlf-004	Microsoft.DBforMySQL/flexibleServers	Security	High	Azure Database for MySQL - Flexible Server should have private access enabled	Learn
223	mysqlf-006	Microsoft.DBforMySQL/flexibleServers	Governance	Low	Azure Database for MySQL - Flexible Server Name should comply with naming conventions	Learn
224	mysqlf-007	Microsoft.DBforMySQL/flexibleServers	Governance	Low	Azure Database for MySQL - Flexible Server should have tags	Learn
225	5c96afc3-7d2e-46ff-a4c7-9c32850c441b	Microsoft.DBforMySQL/flexibleServers	DisasterRecovery	High	Configure geo redundant backup storage	Learn
226	b49a8653-cc43-48c9-8513-a2d2e3f14dd1	Microsoft.DBforMySQL/flexibleServers	DisasterRecovery	High	Configure one or more read replicas	Learn
227	8176a79d-8645-4e52-96be-a10fc0204fe5	Microsoft.DBforMySQL/flexibleServers	Scalability	High	Configure storage auto-grow	Learn
228	88856605-53d8-4bbd-a75b-4a7b14939d32	Microsoft.DBforMySQL/flexibleServers	HighAvailability	High	Enable HA with zone redundancy	Learn
229	82a9a0f2-24ee-496f-9ad2-25f81710942d	Microsoft.DBforMySQL/flexibleServers	Scalability	High	Enable custom maintenance schedule	Learn
230	mysql-001	Microsoft.DBforMySQL/servers	Monitoring and Alerting	Low	Azure Database for MySQL - Single Server should have diagnostic settings enabled	Learn
231	mysql-003	Microsoft.DBforMySQL/servers	High Availability	High	Azure Database for MySQL - Single Server should have a SLA	Learn
232	mysql-004	Microsoft.DBforMySQL/servers	Security	High	Azure Database for MySQL - Single Server should have private endpoints enabled	Learn
233	mysql-006	Microsoft.DBforMySQL/servers	Governance	Low	Azure Database for MySQL - Single Server Name should comply with naming conventions	Learn
234	mysql-007	Microsoft.DBforMySQL/servers	High Availability	High	Azure Database for MySQL - Single Server is on the retirement path	Learn
235	mysql-008	Microsoft.DBforMySQL/servers	Governance	Low	Azure Database for MySQL - Single Server should have tags	Learn
236	ng-001	Microsoft.Network/natGateways	Monitoring and Alerting	Low	NAT Gateway should have diagnostic settings enabled	Learn
237	ng-003	Microsoft.Network/natGateways	High Availability	High	NAT Gateway SLA	Learn
238	ng-006	Microsoft.Network/natGateways	Governance	Low	NAT Gateway Name should comply with naming conventions	Learn
239	ng-007	Microsoft.Network/natGateways	Governance	Low	NAT Gateway should have tags	Learn
240	72827434-c773-4345-9493-34848ddf5803	Microsoft.NetApp/netAppAccounts	HighAvailability	High	Use snapshots for data protection in Azure NetApp Files	Learn
241	b2fb3e60-97ec-e34d-af29-b16a0d61c2ac	Microsoft.NetApp/netAppAccounts	DisasterRecovery	High	Enable backup for data protection in Azure NetApp Files	Learn
242	e3d742e1-dacd-9b48-b6b1-510ec9f87c96	Microsoft.NetApp/netAppAccounts	DisasterRecovery	High	Enable Cross-zone replication of Azure NetApp Files volumes	Learn
243	ab984130-c57b-6c4a-8d04-6723b4e1bdb6	Microsoft.NetApp/netAppAccounts	Scalability	High	Use standard network features for production in Azure NetApp Files	Learn
244	e30317d2-c502-4dfe-a2d3-0a737cc79545	Microsoft.NetApp/netAppAccounts	DisasterRecovery	High	Enable Cross-region replication of Azure NetApp Files volumes	Learn
245	47d100a5-7f85-5742-967a-67eb5081240a	Microsoft.NetApp/netAppAccounts	HighAvailability	High	Use availability zones for high availability in Azure NetApp Files	Learn
246	nsg-001	Microsoft.Network/networkSecurityGroups	Monitoring and Alerting	Low	NSG should have diagnostic settings enabled	Learn
247	nsg-003	Microsoft.Network/networkSecurityGroups	High Availability	High	NSG SLA	Learn
248	nsg-006	Microsoft.Network/networkSecurityGroups	Governance	Low	NSG Name should comply with naming conventions	Learn
249	nsg-007	Microsoft.Network/networkSecurityGroups	Governance	Low	NSG should have tags	Learn
250	8bb4a57b-55e4-d24e-9c19-2679d8bc779f	Microsoft.Network/networkSecurityGroups	MonitoringAndAlerting	Low	Monitor changes in Network Security Groups with Azure Monitor	Learn
251	8291c1fa-650c-b44b-b008-4deb7465919d	Microsoft.Network/networkSecurityGroups	Security	Medium	The NSG only has Default Security Rules, make sure to configure the necessary rules	Learn
252	nw-003	Microsoft.Network/networkWatchers	High Availability	High	Network Watcher SLA	Learn
253	nw-006	Microsoft.Network/networkWatchers	Governance	Low	Network Watcher Name should comply with naming conventions	Learn
254	nw-007	Microsoft.Network/networkWatchers	Governance	Low	Network Watcher should have tags	Learn
255	22a769ed-0ecb-8b49-bafe-8f52e6373d9c	Microsoft.Network/networkWatchers	MonitoringAndAlerting	Low	Fix Flow Log configurations in Failed state or Disabled Status	Learn
256	app-001	Microsoft.Web/sites	Monitoring and Alerting	Low	App Service should have diagnostic settings enabled	Learn
257	app-004	Microsoft.Web/sites	Security	High	App Service should have private endpoints enabled	Learn
258	app-006	Microsoft.Web/sites	Governance	Low	App Service Name should comply with naming conventions	Learn
259	app-007	Microsoft.Web/sites	Security	High	App Service should use HTTPS only	Learn
260	app-008	Microsoft.Web/sites	Governance	Low	App Service should have tags	Learn
261	app-009	Microsoft.Web/sites	Security	Medium	App Service should use VNET integration	Learn
262	app-010	Microsoft.Web/sites	Security	Medium	App Service should have VNET Route all enabled for VNET integration	Learn
263	app-011	Microsoft.Web/sites	Security	High	App Service should use TLS 1.2	Learn
264	app-012	Microsoft.Web/sites	Security	High	App Service remote debugging should be disabled	Learn
265	app-013	Microsoft.Web/sites	Security	High	App Service should not allow insecure FTP	Learn
266	app-014	Microsoft.Web/sites	Scalability	High	App Service should have Always On enabled	Learn
267	app-015	Microsoft.Web/sites	High Availability	Medium	App Service should avoid using Client Affinity	Learn
268	app-016	Microsoft.Web/sites	Security	Medium	App Service should use Managed Identities	Learn
269	asp-001	Microsoft.Web/serverfarms	Monitoring and Alerting	Low	Plan should have diagnostic settings enabled	Learn
270	asp-003	Microsoft.Web/serverfarms	High Availability	High	Plan should have a SLA	Learn
271	asp-006	Microsoft.Web/serverfarms	Governance	Low	Plan Name should comply with naming conventions	Learn
272	asp-007	Microsoft.Web/serverfarms	Governance	Low	Plan should have tags	Learn
273	func-001	Microsoft.Web/sites	Monitoring and Alerting	Low	Function should have diagnostic settings enabled	Learn
274	func-004	Microsoft.Web/sites	Security	High	Function should have private endpoints enabled	Learn
275	func-006	Microsoft.Web/sites	Governance	Low	Function Name should comply with naming conventions	Learn
276	func-007	Microsoft.Web/sites	Security	High	Function should use HTTPS only	Learn
277	func-008	Microsoft.Web/sites	Governance	Low	Function should have tags	Learn
278	func-009	Microsoft.Web/sites	Security	Medium	Function should use VNET integration	Learn
279	func-010	Microsoft.Web/sites	Security	Medium	Function should have VNET Route all enabled for VNET integration	Learn
280	func-011	Microsoft.Web/sites	Security	Medium	Function should use TLS 1.2	Learn
281	func-012	Microsoft.Web/sites	Security	Medium	Function remote debugging should be disabled	Learn
282	func-013	Microsoft.Web/sites	High Availability	Medium	Function should avoid using Client Affinity	Learn
283	func-014	Microsoft.Web/sites	Security	Medium	Function should use Managed Identities	Learn
284	logics-001	Microsoft.Web/sites	Monitoring and Alerting	Low	Logic App should have diagnostic settings enabled	Learn
285	logics-004	Microsoft.Web/sites	Security	High	Logic App should have private endpoints enabled	Learn
286	logics-006	Microsoft.Web/sites	Governance	Low	Logic App Name should comply with naming conventions	Learn
287	logics-007	Microsoft.Web/sites	Security	High	Logic App should use HTTPS only	Learn
288	logics-008	Microsoft.Web/sites	Governance	Low	Logic App should have tags	Learn
289	logics-009	Microsoft.Web/sites	Security	Medium	Logic App should use VNET integration	Learn
290	logics-010	Microsoft.Web/sites	Security	Medium	Logic App should have VNET Route all enabled for VNET integration	Learn
291	logics-011	Microsoft.Web/sites	Security	Medium	Logic App should use TLS 1.2	Learn
292	logics-012	Microsoft.Web/sites	Security	Medium	Logic App remote debugging should be disabled	Learn
293	logics-013	Microsoft.Web/sites	High Availability	Medium	Logic App should avoid using Client Affinity	Learn
294	logics-014	Microsoft.Web/sites	Security	Medium	Logic App should use Managed Identities	Learn
295	88cb90c2-3b99-814b-9820-821a63f600dd	Microsoft.Web/serverFarms	HighAvailability	High	Migrate App Service to availability Zone Support	Learn
296	b2113023-a553-2e41-9789-597e2fb54c31	Microsoft.Web/serverFarms	HighAvailability	High	Use Standard or Premium tier	Learn
297	07243659-4643-d44c-a1c6-07ac21635072	Microsoft.Web/serverFarms	Scalability	Medium	Avoid scaling up or down	Learn
298	c6c4b962-5af4-447a-9d74-7b9c53a5dff5	Microsoft.Web/sites	HighAvailability	Low	Enable auto heal for Functions App	Learn
299	0b80b67c-afbe-4988-ad58-a85a146b681e	Microsoft.Web/sites	OtherBestPractices	Medium	Store configuration as app settings	Learn
300	9e6682ac-31bc-4635-9959-ab74b52454e6	Microsoft.Web/sites	Scalability	High	Set minimum instance count to 2 for app service	Learn
301	fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d	Microsoft.Web/sites	OtherBestPractices	High	Enable Health check for App Services	Learn
302	aab6b4a4-9981-43a4-8728-35c7ecbb746d	Microsoft.Web/sites	Governance	Medium	Configure network access restrictions	Learn
303	a1d91661-32d4-430b-b3b6-5adeb0975df7	Microsoft.Web/sites	Governance	Low	Deploy to a staging slot	Learn
304	pep-003	Microsoft.Network/privateEndpoints	High Availability	High	Private Endpoint SLA	Learn
305	pep-006	Microsoft.Network/privateEndpoints	Governance	Low	Private Endpoint Name should comply with naming conventions	Learn
306	pep-007	Microsoft.Network/privateEndpoints	Governance	Low	Private Endpoint should have tags	Learn
307	b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7	Microsoft.Network/privateEndpoints	HighAvailability	Medium	Resolve issues with Private Endpoints in non Succeeded connection state	Learn
308	pip-003	Microsoft.Network/publicIPAddresses	High Availability	High	Public IP SLA	Learn
309	pip-006	Microsoft.Network/publicIPAddresses	Governance	Low	Public IP Name should comply with naming conventions	Learn
310	pip-007	Microsoft.Network/publicIPAddresses	Governance	Low	Public IP should have tags	Learn
311	c63b81fb-7afc-894c-a840-91bb8a8dcfaf	Microsoft.Network/publicIPAddresses	HighAvailability	High	Use Standard SKU and Zone-Redundant IPs when applicable	Learn
312	1adba190-5c4c-e646-8527-dd1b2a6d8b15	Microsoft.Network/publicIPAddresses	HighAvailability	Medium	Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion	Learn
313	5cea1501-6fe4-4ec4-ac8f-f72320eb18d3	Microsoft.Network/publicIPAddresses	HighAvailability	Medium	Upgrade Basic SKU public IP addresses to Standard SKU	Learn
314	c4254c66-b8a5-47aa-82f6-e7d7fb418f47	Microsoft.Network/publicIPAddresses	Security	Medium	Public IP addresses should have DDoS protection enabled	Learn
315	psqlf-001	Microsoft.DBforPostgreSQL/flexibleServers	Monitoring and Alerting	Low	PostgreSQL should have diagnostic settings enabled	Learn
316	psqlf-003	Microsoft.DBforPostgreSQL/flexibleServers	High Availability	High	PostgreSQL should have a SLA	Learn
317	psqlf-004	Microsoft.DBforPostgreSQL/flexibleServers	Security	High	PostgreSQL should have private access enabled	Learn
318	psqlf-006	Microsoft.DBforPostgreSQL/flexibleServers	Governance	Low	PostgreSQL Name should comply with naming conventions	Learn
319	psqlf-007	Microsoft.DBforPostgreSQL/flexibleServers	Governance	Low	PostgreSQL should have tags	Learn
320	ca87914f-aac4-4783-ab67-82a6f936f194	Microsoft.DBforPostgreSQL/flexibleServers	HighAvailability	High	Enable HA with zone redundancy	Learn
321	b2bad57d-7e03-4c0f-9024-597c9eb295bb	Microsoft.DBforPostgreSQL/flexibleServers	Scalability	High	Enable custom maintenance schedule	Learn
322	31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3	Microsoft.DBforPostgreSQL/flexibleServers	DisasterRecovery	High	Configure geo redundant backup storage	Learn
323	2ab85a67-26be-4ed2-a0bb-101b2513ec63	Microsoft.DBforPostgreSQL/flexibleServers	DisasterRecovery	High	Configure one or more read replicas	Learn
324	psql-001	Microsoft.DBforPostgreSQL/servers	Monitoring and Alerting	Low	PostgreSQL should have diagnostic settings enabled	Learn
325	psql-003	Microsoft.DBforPostgreSQL/servers	High Availability	High	PostgreSQL should have a SLA	Learn
326	psql-004	Microsoft.DBforPostgreSQL/servers	Security	High	PostgreSQL should have private endpoints enabled	Learn
327	psql-006	Microsoft.DBforPostgreSQL/servers	Governance	Low	PostgreSQL Name should comply with naming conventions	Learn
328	psql-007	Microsoft.DBforPostgreSQL/servers	Governance	Low	PostgreSQL should have tags	Learn
329	psql-008	Microsoft.DBforPostgreSQL/servers	Security	High	PostgreSQL should enforce SSL	Learn
330	psql-009	Microsoft.DBforPostgreSQL/servers	Security	Low	PostgreSQL should enforce TLS >= 1.2	Learn
331	udr-003	Microsoft.Network/routeTables	High Availability	High	Rout Table SLA	Learn
332	udr-006	Microsoft.Network/routeTables	Governance	Low	Rout Table Name should comply with naming conventions	Learn
333	udr-007	Microsoft.Network/routeTables	Governance	Low	Rout Table should have tags	Learn
334	23b2dfc7-7e5d-9443-9f62-980ca621b561	Microsoft.Network/routeTables	MonitoringAndAlerting	High	Monitor changes in Route Tables with Azure Monitor	Learn
335	17e877f7-3a89-4205-8a24-0670de54ddcd	Microsoft.RecoveryServices/vaults	DisasterRecovery	High	Validate VM functionality with a Site Recovery test failover to check performance at target	Learn
336	1549b91f-2ea0-4d4f-ba2a-4596becbe3de	Microsoft.RecoveryServices/vaults	DisasterRecovery	Medium	Enable Cross Region Restore for your GRS Recovery Services Vault	Learn
337	9e39919b-78af-4a0b-b70f-c548dae97c25	Microsoft.RecoveryServices/vaults	DisasterRecovery	Medium	Enable Soft Delete for Recovery Services Vaults in Azure Backup	Learn
338	redis-001	Microsoft.Cache/Redis	Monitoring and Alerting	Low	Redis should have diagnostic settings enabled	Learn
339	redis-003	Microsoft.Cache/Redis	High Availability	High	Redis should have a SLA	Learn
340	redis-006	Microsoft.Cache/Redis	Governance	Low	Redis Name should comply with naming conventions	Learn
341	redis-007	Microsoft.Cache/Redis	Governance	Low	Redis should have tags	Learn
342	redis-008	Microsoft.Cache/Redis	Security	High	Redis should not enable non SSL ports	Learn
343	redis-009	Microsoft.Cache/Redis	Security	Low	Redis should enforce TLS >= 1.2	Learn
344	5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8	Microsoft.Cache/Redis	HighAvailability	High	Enable zone redundancy for Azure Cache for Redis	Learn
345	c474fc96-4e6a-4fb0-95d0-a26b3f35933c	Microsoft.Cache/redis	Security	Medium	Configure Private Endpoints	Learn
346	sb-001	Microsoft.ServiceBus/namespaces	Monitoring and Alerting	Low	Service Bus should have diagnostic settings enabled	Learn
347	sb-003	Microsoft.ServiceBus/namespaces	High Availability	High	Service Bus should have a SLA	Learn
348	sb-004	Microsoft.ServiceBus/namespaces	Security	High	Service Bus should have private endpoints enabled	Learn
349	sb-006	Microsoft.ServiceBus/namespaces	Governance	Low	Service Bus Name should comply with naming conventions	Learn
350	sb-007	Microsoft.ServiceBus/namespaces	Governance	Low	Service Bus should have tags	Learn
351	sb-008	Microsoft.ServiceBus/namespaces	Security	Medium	Service Bus should have local authentication disabled	Learn
352	f075a1bd-de9e-4819-9a1d-1ac41037a74f	Microsoft.ServiceBus/namespaces	ServiceUpgradeAndRetirement	High	Configure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higher	Learn
353	sigr-001	Microsoft.SignalRService/SignalR	Monitoring and Alerting	Low	SignalR should have diagnostic settings enabled	Learn
354	sigr-003	Microsoft.SignalRService/SignalR	High Availability	High	SignalR should have a SLA	Learn
355	sigr-004	Microsoft.SignalRService/SignalR	Security	High	SignalR should have private endpoints enabled	Learn
356	sigr-006	Microsoft.SignalRService/SignalR	Governance	Low	SignalR Name should comply with naming conventions	Learn
357	sigr-007	Microsoft.SignalRService/SignalR	Governance	Low	SignalR should have tags	Learn
358	6a8b3db9-5773-413a-a127-4f7032f34bbd	Microsoft.SignalRService/SignalR	HighAvailability	High	Enable zone redundancy for SignalR	Learn
359	sql-004	Microsoft.Sql/servers	Security	High	SQL should have private endpoints enabled	Learn
360	sql-006	Microsoft.Sql/servers	Governance	Low	SQL Name should comply with naming conventions	Learn
361	sql-007	Microsoft.Sql/servers	Governance	Low	SQL should have tags	Learn
362	sql-008	Microsoft.Sql/servers	Security	Low	SQL should enforce TLS >= 1.2	Learn
363	sqldb-001	Microsoft.Sql/servers/databases	Monitoring and Alerting	Low	SQL Database should have diagnostic settings enabled	Learn
364	sqldb-003	Microsoft.Sql/servers/databases	High Availability	High	SQL Database should have a SLA	Learn
365	sqldb-006	Microsoft.Sql/servers/databases	Governance	Low	SQL Database Name should comply with naming conventions	Learn
366	sqldb-007	Microsoft.Sql/servers/databases	Governance	Low	SQL Database should have tags	Learn
367	sqlep-002	Microsoft.Sql/servers/elasticPools	Governance	Low	SQL Elastic Pool Name should comply with naming conventions	Learn
368	sqlep-003	Microsoft.Sql/servers/elasticPools	Governance	Low	SQL Elastic Pool should have tags	Learn
369	74c2491d-048b-0041-a140-935960220e20	Microsoft.Sql/servers	DisasterRecovery	High	Use Active Geo Replication to Create a Readable Secondary in Another Region	Learn
370	943c168a-2ec2-a94c-8015-85732a1b4859	Microsoft.Sql/servers	DisasterRecovery	High	Auto Failover Groups can encompass one or multiple databases, usually used by the same app.	Learn
371	c0085c32-84c0-c247-bfa9-e70977cbf108	Microsoft.Sql/servers	HighAvailability	Medium	Enable zone redundancy for Azure SQL Database to achieve high availability and resiliency	Learn
372	7e7daec9-6a81-3546-a4cc-9aef72fec1f7	Microsoft.Sql/servers	MonitoringAndAlerting	High	Monitor your Azure SQL Database in Near Real-Time to Detect Reliability Incidents	Learn
373	syndp-001	Microsoft.Synapse/workspaces/sqlPools	Governance	Low	Azure Synapse Dedicated SQL Pool Name should comply with naming conventions	Learn
374	syndp-002	Microsoft.Synapse/workspaces/sqlPools	High Availability	High	Azure Synapse Dedicated SQL Pool SLA	Learn
375	syndp-003	Microsoft.Synapse/workspaces/sqlPools	Governance	Low	Azure Synapse Dedicated SQL Pool should have tags	Learn
376	synsp-001	Microsoft.Synapse workspaces/bigDataPools	Governance	Low	Azure Synapse Spark Pool Name should comply with naming conventions	Learn
377	synsp-002	Microsoft.Synapse workspaces/bigDataPools	High Availability	High	Azure Synapse Spark Pool SLA	Learn
378	synsp-003	Microsoft.Synapse workspaces/bigDataPools	Governance	Low	Azure Synapse Spark Pool should have tags	Learn
379	synw-001	Microsoft.Synapse/workspaces	Monitoring and Alerting	Low	Azure Synapse Workspace should have diagnostic settings enabled	Learn
380	synw-002	Microsoft.Synapse/workspaces	Security	High	Azure Synapse Workspace should have private endpoints enabled	Learn
381	synw-003	Microsoft.Synapse/workspaces	High Availability	High	Azure Synapse Workspace SLA	Learn
382	synw-004	Microsoft.Synapse/workspaces	Governance	Low	Azure Synapse Workspace Name should comply with naming conventions	Learn
383	synw-005	Microsoft.Synapse/workspaces	Governance	Low	Azure Synapse Workspace should have tags	Learn
384	synw-006	Microsoft.Synapse/workspaces	Security	High	Azure Synapse Workspace should establish network segmentation boundaries	Learn
385	synw-007	Microsoft.Synapse/workspaces	Security	High	Azure Synapse Workspace should disable public network access	Learn
386	traf-001	Microsoft.Network/trafficManagerProfiles	Monitoring and Alerting	Low	Traffic Manager should have diagnostic settings enabled	Learn
387	traf-002	Microsoft.Network/trafficManagerProfiles	High Availability	High	Traffic Manager should have availability zones enabled	Learn
388	traf-003	Microsoft.Network/trafficManagerProfiles	High Availability	High	Traffic Manager should have a SLA	Learn
389	traf-006	Microsoft.Network/trafficManagerProfiles	Governance	Low	Traffic Manager Name should comply with naming conventions	Learn
390	traf-007	Microsoft.Network/trafficManagerProfiles	Governance	Low	Traffic Manager should have tags	Learn
391	traf-009	Microsoft.Network/trafficManagerProfiles	Security	High	Traffic Manager: HTTP endpoints should be monitored using HTTPS	Learn
392	f05a3e6d-49db-2740-88e2-2b13706c1f67	Microsoft.Network/trafficManagerProfiles	HighAvailability	High	Traffic Manager Monitor Status Should be Online	Learn
393	5b422a7f-8caa-3d48-becb-511599e5bba9	Microsoft.Network/trafficManagerProfiles	HighAvailability	Medium	Traffic manager profiles should have more than one endpoint	Learn
394	1ad9d7b7-9692-1441-a8f4-93792efbe97a	Microsoft.Network/trafficManagerProfiles	DisasterRecovery	Medium	Configure at least one endpoint within a another region	Learn
395	c31f76a0-48cd-9f44-aa43-99ee904db9bc	Microsoft.Network/trafficManagerProfiles	DisasterRecovery	High	Ensure endpoint configured to (All World) for geographic profiles	Learn
396	9437634c-d69e-2747-b13e-631c13182150	Microsoft.Network/trafficManagerProfiles	BusinessContinuity	High	Avoid combining Traffic Manager and Front Door	Learn
397	st-001	Microsoft.Storage/storageAccounts	Monitoring and Alerting	Low	Storage should have diagnostic settings enabled	Learn
398	st-003	Microsoft.Storage/storageAccounts	High Availability	High	Storage should have a SLA	Learn
399	st-006	Microsoft.Storage/storageAccounts	Governance	Low	Storage Name should comply with naming conventions	Learn
400	st-007	Microsoft.Storage/storageAccounts	Security	High	Storage Account should use HTTPS only	Learn
401	st-008	Microsoft.Storage/storageAccounts	Governance	Low	Storage Account should have tags	Learn
402	st-009	Microsoft.Storage/storageAccounts	Security	Low	Storage Account should enforce TLS >= 1.2	Learn
403	st-010	Microsoft.Storage/storageAccounts	Disaster Recovery	Low	Storage Account should have inmutable storage versioning enabled	Learn
404	st-011	Microsoft.Storage/storageAccounts	Disaster Recovery	Medium	Storage Account should have soft delete enabled	Learn
405	2ad78dec-5a4d-4a30-8fd1-8584335ad781	Microsoft.Storage/storageAccounts	Scalability	Low	Consider upgrading legacy storage accounts to v2 storage accounts	Learn
406	dc55be60-6f8c-461e-a9d5-a3c7686ed94e	Microsoft.Storage/storageAccounts	Security	Medium	Enable Azure Private Link service for storage accounts	Learn
407	e6c7e1cc-2f47-264d-aa50-1da421314472	Microsoft.Storage/storageAccounts	HighAvailability	High	Ensure that storage accounts are zone or region redundant	Learn
408	979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7	Microsoft.DesktopVirtualization/hostPools	Governance	Medium	Configure host pool scheduled agent updates	Learn
409	vm-003	Microsoft.Compute/virtualMachines	High Availability	High	Virtual Machine should have a SLA	Learn
410	vm-006	Microsoft.Compute/virtualMachines	Governance	Low	Virtual Machine Name should comply with naming conventions	Learn
411	vm-007	Microsoft.Compute/virtualMachines	Governance	Low	Virtual Machine should have tags	Learn
412	2bd0be95-a825-6f47-a8c6-3db1fb5eb387	Microsoft.Compute/virtualMachines	HighAvailability	High	Deploy VMs across Availability Zones	Learn
413	41a22a5e-5e08-9647-92d0-2ffe9ef1bdad	Microsoft.Compute/virtualMachines	Security	Medium	IP Forwarding should only be enabled for Network Virtual Appliances	Learn
414	52ab9e5c-eec0-3148-8bd7-b6dd9e1be870	Microsoft.Compute/virtualMachines	HighAvailability	High	Use maintenance configurations for the VMs	Learn
415	4a9d8973-6dba-0042-b3aa-07924877ebd5	Microsoft.Compute/virtualMachines	MonitoringAndAlerting	Low	Configure monitoring for all Azure Virtual Machines	Learn
416	3201dba8-d1da-4826-98a4-104066545170	Microsoft.Compute/virtualMachines	Scalability	High	Don’t use A or B-Series VMs for production needing constant full CPU performance	Learn
417	1981f704-97b9-b645-9c57-33f8ded9261a	Microsoft.Compute/virtualMachines	DisasterRecovery	Medium	Backup VMs with Azure Backup service	Learn
418	98b334c0-8578-6046-9e43-b6e8fce6318e	Microsoft.Compute/virtualMachines	Governance	Low	Review VMs in stopped state	Learn
419	70b1d2be-e6c4-b54e-9959-b1b690f9e485	Microsoft.Compute/virtualMachines	Security	Low	Network access to the VM disk should be set to Disable public access and enable private access	Learn
420	b72214bb-e879-5f4b-b9cd-642db84f36f4	Microsoft.Compute/virtualMachines	MonitoringAndAlerting	Low	Enable VM Insights	Learn
421	4ea2878f-0d69-8d4a-b715-afc10d1e538e	Microsoft.Compute/virtualMachines	Scalability	Low	Host database data on a data disk	Learn
422	1f629a30-c9d0-d241-82ee-6f2eb9d42cb4	Microsoft.Compute/virtualMachines	Security	Medium	VMs should not have a Public IP directly associated	Learn
423	1cf8fe21-9593-1e4e-966b-779a294c0d30	Microsoft.Compute/virtualMachines	OtherBestPractices	Low	Customer DNS Servers should be configured in the Virtual Network level	Learn
424	df0ff862-814d-45a3-95e4-4fad5a244ba6	Microsoft.Compute/virtualMachines	Scalability	High	Mission Critical Workloads should consider using Premium or Ultra Disks	Learn
425	a8d25876-7951-b646-b4e8-880c9031596b	Microsoft.Compute/virtualMachines	HighAvailability	High	Migrate VMs using availability sets to VMSS Flex	Learn
426	cfe22a65-b1db-fd41-9e8e-d573922709ae	Microsoft.Compute/virtualMachines	DisasterRecovery	Medium	Replicate VMs using Azure Site Recovery	Learn
427	82b3cf6b-9ae2-2e44-b193-10793213f676	Microsoft.Compute/virtualMachines	Security	Low	VM network interfaces and associated subnets both have a Network Security Group associated	Learn
428	302fda08-ee65-4fbe-a916-6dc0b33169c4	Microsoft.Compute/virtualMachines	HighAvailability	High	Reserve Compute Capacity for critical workloads	Learn
429	122d11d7-b91f-8747-a562-f56b79bcfbdc	Microsoft.Compute/virtualMachines	HighAvailability	High	Use Managed Disks for VM disks	Learn
430	dfedbeb1-1519-fc47-86a5-52f96cf07105	Microsoft.Compute/virtualMachines	Scalability	Medium	Enable Accelerated Networking (AccelNet)	Learn
431	c42343ae-2712-2843-a285-3437eb0b28a1	Microsoft.Compute/virtualMachines	Governance	Low	Ensure that your VMs are compliant with Azure Policies	Learn
432	273f6b30-68e0-4241-85ea-acf15ffb60bf	Microsoft.Compute/virtualMachines	HighAvailability	High	Run production workloads on two or more VMs using VMSS Flex	Learn
433	f0a97179-133a-6e4f-8a49-8a44da73ffce	Microsoft.Compute/virtualMachines	Security	High	Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled	Learn
434	vmss-003	Microsoft.Compute/virtualMachineScaleSets	High Availability	High	Virtual Machine should have a SLA	Learn
435	vmss-004	Microsoft.Compute/virtualMachineScaleSets	Governance	Low	Virtual Machine Scale Set Name should comply with naming conventions	Learn
436	vmss-005	Microsoft.Compute/virtualMachineScaleSets	Governance	Low	Virtual Machine Scale Set should have tags	Learn
437	3f85a51c-e286-9f44-b4dc-51d00768696c	Microsoft.Compute/virtualMachineScaleSets	Scalability	Low	Enable Predictive autoscale and configure at least for Forecast Only	Learn
438	b5a63aa0-c58e-244f-b8a6-cbba0560a6db	Microsoft.Compute/virtualMachineScaleSets	HighAvailability	High	Disable Force strictly even balance across zones to avoid scale in and out fail attempts	Learn
439	1422c567-782c-7148-ac7c-5fc14cf45adc	Microsoft.Compute/virtualMachineScaleSets	HighAvailability	High	Deploy VMSS across availability zones with VMSS Flex	Learn
440	e7495e1c-0c75-0946-b266-b429b5c7f3bf	Microsoft.Compute/virtualMachineScaleSets	Scalability	Medium	Deploy VMSS with Flex orchestration mode instead of Uniform	Learn
441	ee66ff65-9aa3-2345-93c1-25827cf79f44	Microsoft.Compute/virtualMachineScaleSets	Scalability	High	Configure VMSS Autoscale to custom and configure the scaling metrics	Learn
442	e4ffd7b0-ba24-c84e-9352-ba4819f908c0	Microsoft.Compute/virtualMachineScaleSets	OtherBestPractices	Low	Set Patch orchestration options to Azure-orchestrated	Learn
443	94794d2a-eff0-2345-9b67-6f9349d0a627	Microsoft.Compute/virtualMachineScaleSets	MonitoringAndAlerting	Medium	Enable Azure Virtual Machine Scale Set Application Health Monitoring	Learn
444	820f4743-1f94-e946-ae0b-45efafd87962	Microsoft.Compute/virtualMachineScaleSets	HighAvailability	High	Enable Automatic Repair Policy on Azure Virtual Machine Scale Sets	Learn
445	vnet-001	Microsoft.Network/virtualNetworks	Monitoring and Alerting	Low	Virtual Network should have diagnostic settings enabled	Learn
446	vnet-006	Microsoft.Network/virtualNetworks	Governance	Low	Virtual Network Name should comply with naming conventions	Learn
447	vnet-007	Microsoft.Network/virtualNetworks	Governance	Low	Virtual Network should have tags	Learn
448	vnet-009	Microsoft.Network/virtualNetworks	High Availability	High	Virtual Network should have at least two DNS servers assigned	Learn
449	69ea1185-19b7-de40-9da1-9e8493547a5c	Microsoft.Network/virtualNetworks	Security	High	Shield public endpoints in Azure VNets with Azure DDoS Standard Protection Plans	Learn
450	24ae3773-cc2c-3649-88de-c9788e25b463	Microsoft.Network/virtualNetworks	Security	Medium	When available, use Private Endpoints instead of Service Endpoints for PaaS Services	Learn
451	f0bf9ae6-25a5-974d-87d5-025abec73539	Microsoft.Network/virtualNetworks	Security	Low	All Subnets should have a Network Security Group associated	Learn
452	vgw-001	Microsoft.Network/virtualNetworkGateways	Monitoring and Alerting	Low	Virtual Network Gateway should have diagnostic settings enabled	Learn
453	vgw-002	Microsoft.Network/virtualNetworkGateways	Governance	Low	Virtual Network Gateway Name should comply with naming conventions	Learn
454	vgw-003	Microsoft.Network/virtualNetworkGateways	Governance	Low	Virtual Network Gateway should have tags	Learn
455	vgw-004	Microsoft.Network/virtualNetworkGateways	High Availability	High	Virtual Network Gateway should have a SLA	Learn
456	vgw-005	Microsoft.Network/virtualNetworkGateways	High Availability	High	Storage should have availability zones enabled	Learn
457	281a2713-c0e0-3c48-b596-19f590c46671	Microsoft.Network/virtualNetworkGateways	HighAvailability	Medium	Enable Active-Active VPN Gateways for redundancy	Learn
458	bbe668b7-eb5c-c746-8b82-70afdedf0cae	Microsoft.Network/virtualNetworkGateways	HighAvailability	High	Use Zone-redundant ExpressRoute gateway SKUs	Learn
459	5b1933a6-90e4-f642-a01f-e58594e5aab2	Microsoft.Network/virtualNetworkGateways	HighAvailability	High	Choose a Zone-redundant VPN gateway	Learn
460	4bae5a28-5cf4-40d9-bcf1-623d28f6d917	Microsoft.Network/virtualNetworkGateways	HighAvailability	High	Deploy zone-redundant VPN gateways with zone-redundant Public IP(s)	Learn
461	d37db635-157f-584d-9bce-4f6fc8c65ce5	Microsoft.Network/virtualNetworkGateways	HighAvailability	High	Connect ExpressRoute gateway with circuits from diverse peering locations	Learn
462	3e115044-a3aa-433e-be01-ce17d67e50da	Microsoft.Network/virtualNetworkGateways	HighAvailability	High	Configure customer-controlled ExpressRoute gateway maintenance	Learn
463	wps-001	Microsoft.SignalRService/webPubSub	Monitoring and Alerting	Low	Web Pub Sub should have diagnostic settings enabled	Learn
464	wps-002	Microsoft.SignalRService/webPubSub	High Availability	High	Web Pub Sub should have availability zones enabled	Learn
465	wps-003	Microsoft.SignalRService/webPubSub	High Availability	High	Web Pub Sub should have a SLA	Learn
466	wps-004	Microsoft.SignalRService/webPubSub	Security	High	Web Pub Sub should have private endpoints enabled	Learn
467	wps-006	Microsoft.SignalRService/webPubSub	Governance	Low	Web Pub Sub Name should comply with naming conventions	Learn
468	wps-007	Microsoft.SignalRService/webPubSub	Governance	Low	Web Pub Sub should have tags	Learn

5 - Related Projects

Azure Quick Review compared to APRL, Azure Review Checklists and PSRule.Rules.Azure

AZQR and APRL

As of version 2.0.0-preview, Azure Quick Review (azqr) includes all Azure Resource Graph queries provided by the the Azure Proactive Resiliency Library (APRL), which are used to identify non-compliant resources.

Azure Quick Review (azqr) extends APRL by providing per service instance SLAs, Diagnostic Settings detection and more. Therefore, scan results display AZQR or APRL, to indicate the source of the recommendation.

APRL provides a curated catalog of resiliency recommendations for workloads running in Azure. Many of the recommendations contain supporting Azure Resource Graph (ARG) queries

AZQR compared to Azure Review Checklists and PSRule.Rules.Azure

Azure Quick Review (azqr) was created to address a very specific need we had back in 2022. Initially, we had to run three assessments to get a clear picture of various solutions in terms of SLAs, use of Availability Zones, and Diagnostic Settings. At the time, we were not aware of the existence of the review-checklist or PSRule.Rules.Azure.

When some of our peers saw the assessments we were able to deliver with the early bits of Azure Quick Review (azqr), they asked us to add more checks (recommendations) and change the output format from markdown to Excel.

As many of our customers work in restrictive environments, the ability to run a self-contained, cross-platform binary while using read-only permissions became a key feature.

Moving forward to 2023, based on great feedback from both peers and customers, we moved the original repo to the Azure organization, added support for more services, fixed some issues and even added a Power BI template.

In August 2024, we added all APRL recommendations to Azure Quick Review (azqr) and removed duplicates in favor of the ones already available as Azure Resource Graph queries.

When compared with PSRule.Rules.Azure, Azure Quick Review (azqr) only scans deployed Azure resources and provides recommendations based on the current state. Azure Quick Review (azqr) does not scan ARM templates or Bicep files.

When compared to the review-checklist, Azure Quick Review (azqr) also provides an actionable list of more than 400 recommendations (70+ Azure resource types), that can be used to improve the resiliency of your Azure solutions.

6 - Troubleshooting & Support

Troubleshooting & Support

If you encounter any issue while using Azure Quick Review (azqr), please set the AZURE_SDK_GO_LOGGING environment variable to all, run the tool with the --debug flag and then share the console output with us by filing a new issue.

Support

This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please check our troubleshooting guide.

Please search the existing issues before filing new issues to avoid duplicates.

For new issues, file your bug or feature request as a new issue.
For help, discussion, and support questions about using this project, join or start a discussion.

Support for this project / product is limited to the resources listed above.

7 - Resources & References

Check out other resources and references

Microsoft Documentation

8 - Contribution Guidelines

How to contribute to the project

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.