This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Azure Quick Review

Azure Quick Review! — Analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Azure Quick Review (azqr) is a command-line interface (CLI) tool specifically designed to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations. Its primary purpose is to provide users with a detailed overview of their Azure resources, enabling them to easily identify any non-compliant configurations or potential areas for improvement.

1 - Overview

Azure Quick Review — Analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Azure Quick Review (azqr) is a powerful command-line interface (CLI) tool that specializes in analyzing Azure resources to ensure compliance with Azure’s best practices and recommendations. Its main objective is to offer users a comprehensive overview of their Azure resources, allowing them to easily identify any non-compliant configurations or areas for improvement.

Azure Quick Review Recommendations

Azure Quick Review (azqr) scans your resources with 2 types of recommendations:

To learn more about the recommendations used by Azure Quick Review (azqr), you can refer to the documentation available here.

Scan Results

The output generated by Azure Quick Review (azqr) is written by default to an Excel file, which contains the following sheets:

  • Recommendations: a list with all recommendations with the number of resources that are impacted. You can use this table as an action plan to improve the compliance of your resources.
  • ImpactedResources: a list with all resources that are impacted. You can use this table to identify resources that have issues that need to be addressed.
  • ResourceTypes: a list of impacted resource types.
  • Inventory: a list of all resources scanned by the tool. Here you’ll find details such as SKU, Tier, Kind or calculated SLA.
  • Advisor: a list of recommendations provided by Azure Advisor.
  • DefenderRecommendations: a list of recommendations provided by Microsoft Defender for Cloud.
  • OutOfScope: a list of resources that were not scanned.
  • Defender: a list of Microsoft Defender for Cloud plans and their tiers.
  • Costs: a list of costs associated with the scanned subscription for the last 3 months.

By default, Azure Quick Review (azqr) obfuscates the Subscription Ids in the output to ensure the protection of sensitive information and maintain data privacy and security. If you want to display the Subscription Ids without obfuscation, you can use the --mask=false flag when executing the tool.

Azure Quick Review can also generate an csv files with the same information as the excel. To generate the csv files, you can use the --csv flag when running the tool.

A Power BI template is also available to help you visualize the results generated by Azure Quick Review. You can create the template running Azure Quick Review with the pbi command and then loading the excel file generated by the tool.

Supported Azure Services

Azure Quick Review (azqr) currently supports the following Azure services:

\AbbreviationResource Type
aaMicrosoft.Automation/automationAccounts
adfMicrosoft.DataFactory/factories
afdMicrosoft.Cdn/profiles
afwMicrosoft.Network/azureFirewalls
afwMicrosoft.Network/ipGroups
agwMicrosoft.Network/applicationGateways
aifMicrosoft.CognitiveServices/accounts
aksMicrosoft.ContainerService/managedClusters
amgMicrosoft.Dashboard/grafana
apimMicrosoft.ApiManagement/service
appcsMicrosoft.AppConfiguration/configurationStores
appiMicrosoft.Insights/components
appiMicrosoft.Insights/activityLogAlerts
asMicrosoft.AnalysisServices/servers
aspMicrosoft.Web/serverFarms
aspMicrosoft.Web/sites
aspMicrosoft.Web/connections
aspMicrosoft.Web/certificates
availMicrosoft.Compute/availabilitySets
avdSpecialized.Workload/AVD
avsMicrosoft.AVS/privateClouds
avsSpecialized.Workload/AVS
baMicrosoft.Batch/batchAccounts
caMicrosoft.App/containerApps
caeMicrosoft.App/managedenvironments
ciMicrosoft.ContainerInstance/containerGroups
conMicrosoft.Network/connections
cosmosMicrosoft.DocumentDB/databaseAccounts
crMicrosoft.ContainerRegistry/registries
dbwMicrosoft.Databricks/workspaces
decMicrosoft.Kusto/clusters
diskMicrosoft.Compute/disks
ercMicrosoft.Network/expressRouteCircuits
ercMicrosoft.Network/ExpressRoutePorts
evgdMicrosoft.EventGrid/domains
evhMicrosoft.EventHub/namespaces
fdfpMicrosoft.Network/frontdoorWebApplicationFirewallPolicies
galMicrosoft.Compute/galleries
hpcSpecialized.Workload/HPC
hubMicrosoft.MachineLearningServices/workspaces
iotMicrosoft.Devices/IotHubs
itMicrosoft.VirtualMachineImages/imageTemplates
kvMicrosoft.KeyVault/vaults
lbMicrosoft.Network/loadBalancers
logMicrosoft.OperationalInsights/workspaces
logicMicrosoft.Logic/workflows
mariaMicrosoft.DBforMariaDB/servers
mariaMicrosoft.DBforMariaDB/servers/databases
mysqlMicrosoft.DBforMySQL/servers
mysqlMicrosoft.DBforMySQL/flexibleServers
netappMicrosoft.NetApp/netAppAccounts
ngMicrosoft.Network/natGateways
nicMicrosoft.Network/networkInterfaces
nsgMicrosoft.Network/networkSecurityGroups
nwMicrosoft.Network/networkWatchers
pdnszMicrosoft.Network/privateDnsZones
pepMicrosoft.Network/privateEndpoints
pipMicrosoft.Network/publicIPAddresses
psqlMicrosoft.DBforPostgreSQL/servers
psqlMicrosoft.DBforPostgreSQL/flexibleServers
redisMicrosoft.Cache/Redis
rgMicrosoft.Resources/resourceGroups
rsvMicrosoft.RecoveryServices/vaults
rtMicrosoft.Network/routeTables
sapSpecialized.Workload/SAP
sbMicrosoft.ServiceBus/namespaces
sigrMicrosoft.SignalRService/SignalR
sqlMicrosoft.Sql/servers
sqlMicrosoft.Sql/servers/databases
sqlMicrosoft.Sql/servers/elasticPools
srchMicrosoft.Search/searchServices
stMicrosoft.Storage/storageAccounts
synwMicrosoft.Synapse/workspaces
synwMicrosoft.Synapse workspaces/bigDataPools
synwMicrosoft.Synapse/workspaces/sqlPools
trafMicrosoft.Network/trafficManagerProfiles
vdpoolMicrosoft.DesktopVirtualization/hostPools
vdpoolMicrosoft.DesktopVirtualization/scalingPlans
vdpoolMicrosoft.DesktopVirtualization/workspaces
vgwMicrosoft.Network/virtualNetworkGateways
vmMicrosoft.Compute/virtualMachines
vmssMicrosoft.Compute/virtualMachineScaleSets
vnetMicrosoft.Network/virtualNetworks
vnetMicrosoft.Network/virtualNetworks/subnets
vwanMicrosoft.Network/virtualWans
wpsMicrosoft.SignalRService/webPubSub

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct

Trademark Notice

Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.

2 - Install

Learn how to install Azure Quick Review (azqr)

Install on Linux or Azure Cloud Shell

latest_azqr=$(curl -sL https://api.github.com/repos/Azure/azqr/releases/latest | jq -r ".tag_name" | cut -c1-)
wget https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-ubuntu-latest-amd64 -O azqr
chmod +x azqr

Install on Windows

Use winget:

winget install azqr

or download the executable file:

$latest_azqr=$(iwr https://api.github.com/repos/Azure/azqr/releases/latest).content | convertfrom-json | Select-Object -ExpandProperty tag_name
iwr https://github.com/Azure/azqr/releases/download/$latest_azqr/azqr-windows-latest-amd64.exe -OutFile azqr.exe

Install on Mac

Use homebrew:

brew install azqr

or download the latest release from here.

3 - Usage

Use Azure Quick Review — to analyze Azure resources and identify whether they comply with Azure’s best practices and recommendations.

Authorization

Azure Quick Review (azqr) requires the following permissions:

  • Reader over Subscription or Management Group scope

Authentication

Azure Quick Review (azqr) requires the following permissions:

  • Reader over Subscription or Management Group scope

Credential Chain Configuration

Azure Quick Review (azqr) uses the Azure SDK’s DefaultAzureCredential which automatically selects the most appropriate credential based on your environment. You can customize the credential chain behavior by setting the AZURE_TOKEN_CREDENTIALS environment variable.

Development environments: Set AZURE_TOKEN_CREDENTIALS=dev to use Azure CLI (az) or Azure Developer CLI (azd) credentials.

Production environments: Set AZURE_TOKEN_CREDENTIALS=pro to use environment variables, workload identity, or managed identity credentials.

Service Principal Authentication

Set the following environment variables:

Powershell:

$env:AZURE_CLIENT_ID = '<service-principal-client-id>'
$env:AZURE_CLIENT_SECRET = '<service-principal-client-secret>'
$env:AZURE_TENANT_ID = '<tenant-id>'

Bash:

export AZURE_CLIENT_ID='<service-principal-client-id>'
export AZURE_CLIENT_SECRET='<service-principal-client-secret>'
export AZURE_TENANT_ID='<tenant-id>'

Authenticate with a Managed Identity

Set the following environment variables:

Powershell:

$env:AZURE_CLIENT_ID = '<managed-identity-client-id>'
$env:AZURE_TENANT_ID = '<tenant-id>'

Bash:

export AZURE_CLIENT_ID='<managed-identity-client-id>'
export AZURE_TENANT_ID='<tenant-id>'

Authenticate with Azure CLI

Authenticate to Azure:

az login

Scan Azure Resources

  • Scan All Resources

    azqr scan
    
  • Scan a Management Group

    azqr scan --management-group-id <management_group_id>
    
  • Scan a Subscription

    azqr scan --subscription-id <subscription_id>
    
  • Scan a Resource Group

    azqr scan --subscription-id <subscription_id> --resource-group <resource_group_name>
    

Advanced Filtering

You can configure Azure Quick Review to include or exclude specific subscriptions or resource groups and also exclude services or recommendations. To do so, create a yaml file with the following format:

azqr:
  include:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    resourceTypes:
      - <resource type abbreviation> # format: Abbreviation of the resource type. For example: "vm" for "Microsoft.Compute/virtualMachines"
  exclude:
    subscriptions:
      - <subscription_id> # format: <subscription_id>
    resourceGroups:
      - <resource_group_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>
    services:
      - <service_resource_id> # format: /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/<service_provider>/<service_name>
    recommendations:
      - <recommendation_id> # format: <recommendation_id>

Then run the scan with the --filters flag:

./azqr scan --filters <path_to_yaml_file>

Check the rules to get the recommendation ids.

Check the overview to get the resource type abbreviations.

File Outputs

Currently Azure Quick Review supports 3 types of file outputs: xlsx (default), csv, json

xlsx

xlsx is the default output format.

Check the overview to get the more information.

csv

By default azqr will create an xlsx document, However if you need to export to csv you can use the following flag: --csv

Example:

azqr scan --csv

The scan will generate 9 csv files:

<file-name>.advisor.csv
<file-name>.costs.csv
<file-name>.defender.csv
<file-name>.defenderRecommendations.csv
<file-name>.impacted.csv
<file-name>.inventory.csv
<file-name>.outofscope.csv
<file-name>.recommendations.csv
<file-name>.resourceType.csv

- json

By default azqr will create an xlsx document, However if you need to export to json you can use the following flag: --json

Example:

azqr scan --json

The scan will generate a single consolidated json file:

<file-name>.json

The JSON file contains all data sections in a single consolidated structure:

{
    "recommendations": [...],
    "impacted": [...],
    "resourceType": [...],
    "inventory": [...],
    "defender": [...],
    "defenderRecommendations": [...],
    "advisor": [...],
    "costs": [...],
    "outOfScope": [...]
}

Changing the Output File Name

You can change the output file name by using the --output-file or -o flag:

Powershell:

$timestamp = Get-Date -Format 'yyyyMMddHHmmss'
azqr scan --output-file "azqr_action_plan_$timestamp"

Bash:

timestamp=$(date '+%Y%m%d%H%M%S')
azqr scan --output-file "azqr_action_plan_$timestamp"

By default, the output file name is azqr_action_plan_YYYY_MM_DD_THHMMSS.

Help

You can get help for azqr commands by running:

azqr --help

4 - Recommendations

Recommendations

Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:

## Recommendations List

Total Supported Azure Resource Types: 88

IdResource TypeCategoryImpactRecommendationLearn
1adf-001Microsoft.DataFactory/factoriesMonitoringAndAlertingLowAzure Data Factory should have diagnostic settings enabledLearn
2adf-002Microsoft.DataFactory/factoriesSecurityHighAzure Data Factory should have private endpoints enabledLearn
3adf-003Microsoft.DataFactory/factoriesHighAvailabilityHighAzure Data Factory SLALearn
4adf-004Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory Name should comply with naming conventionsLearn
5adf-005Microsoft.DataFactory/factoriesGovernanceLowAzure Data Factory should have tagsLearn
6afd-001Microsoft.Cdn/profilesMonitoringAndAlertingLowAzure FrontDoor should have diagnostic settings enabledLearn
7afd-003Microsoft.Cdn/profilesHighAvailabilityHighAzure FrontDoor SLALearn
8afd-006Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor Name should comply with naming conventionsLearn
9afd-007Microsoft.Cdn/profilesGovernanceLowAzure FrontDoor should have tagsLearn
10afw-001Microsoft.Network/azureFirewallsMonitoringAndAlertingLowAzure Firewall should have diagnostic settings enabledLearn
11afw-003Microsoft.Network/azureFirewallsHighAvailabilityHighAzure Firewall SLALearn
12afw-006Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall Name should comply with naming conventionsLearn
13afw-007Microsoft.Network/azureFirewallsGovernanceLowAzure Firewall should have tagsLearn
14agw-005Microsoft.Network/applicationGatewaysMonitoringAndAlertingLowApplication Gateway: Monitor and Log the configurations and trafficLearn
15agw-103Microsoft.Network/applicationGatewaysHighAvailabilityHighApplication Gateway SLALearn
16agw-105Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway Name should comply with naming conventionsLearn
17agw-106Microsoft.Network/applicationGatewaysGovernanceLowApplication Gateway should have tagsLearn
18aif-001Microsoft.CognitiveServices/accountsMonitoringAndAlertingLowService should have diagnostic settings enabledLearn
19aif-003Microsoft.CognitiveServices/accountsHighAvailabilityHighService should have a SLALearn
20aif-004Microsoft.CognitiveServices/accountsSecurityHighService should have private endpoints enabledLearn
21aif-006Microsoft.CognitiveServices/accountsGovernanceLowService Name should comply with naming conventionsLearn
22aif-007Microsoft.CognitiveServices/accountsGovernanceLowService should have tagsLearn
23aif-008Microsoft.CognitiveServices/accountsSecurityMediumService should have local authentication disabledLearn
24aks-001Microsoft.ContainerService/managedClustersMonitoringAndAlertingLowAKS Cluster should have diagnostic settings enabledLearn
25aks-003Microsoft.ContainerService/managedClustersHighAvailabilityHighAKS Cluster should have an SLALearn
26aks-004Microsoft.ContainerService/managedClustersSecurityHighAKS Cluster should be privateLearn
27aks-006Microsoft.ContainerService/managedClustersGovernanceLowAKS Name should comply with naming conventionsLearn
28aks-007Microsoft.ContainerService/managedClustersSecurityMediumAKS should integrate authentication with AAD (Managed)Learn
29aks-010Microsoft.ContainerService/managedClustersSecurityMediumAKS should have httpApplicationRouting disabledLearn
30aks-012Microsoft.ContainerService/managedClustersSecurityHighAKS should have outbound type set to user defined routingLearn
31aks-015Microsoft.ContainerService/managedClustersGovernanceLowAKS should have tagsLearn
32aks-016Microsoft.ContainerService/managedClustersScalabilityLowAKS Node Pools should have MaxSurge setLearn
33amg-001Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana name should comply with naming conventionsLearn
34amg-002Microsoft.Dashboard/managedGrafanaHighAvailabilityHighAzure Managed Grafana SLALearn
35amg-003Microsoft.Dashboard/managedGrafanaGovernanceLowAzure Managed Grafana should have tagsLearn
36amg-004Microsoft.Dashboard/managedGrafanaSecurityHighAzure Managed Grafana should disable public network accessLearn
37amg-005Microsoft.Dashboard/managedGrafanaHighAvailabilityHighAzure Managed Grafana should have availability zones enabledLearn
38apim-001Microsoft.ApiManagement/serviceMonitoringAndAlertingLowAPIM should have diagnostic settings enabledLearn
39apim-003Microsoft.ApiManagement/serviceHighAvailabilityHighAPIM should have a SLALearn
40apim-004Microsoft.ApiManagement/serviceSecurityHighAPIM should have private endpoints enabledLearn
41apim-006Microsoft.ApiManagement/serviceGovernanceLowAPIM should comply with naming conventionsLearn
42apim-007Microsoft.ApiManagement/serviceGovernanceLowAPIM should have tagsLearn
43apim-008Microsoft.ApiManagement/serviceSecurityMediumAPIM should use Managed IdentitiesLearn
44apim-009Microsoft.ApiManagement/serviceSecurityHighAPIM should only accept a minimum of TLS 1.2Learn
45apim-010Microsoft.ApiManagement/serviceSecurityHighAPIM should should not accept weak or deprecated ciphers.Learn
46apim-011Microsoft.ApiManagement/serviceSecurityHighAPIM: Renew expiring certificatesLearn
47app-001Microsoft.Web/sitesMonitoringAndAlertingLowApp Service should have diagnostic settings enabledLearn
48app-004Microsoft.Web/sitesSecurityHighApp Service should have private endpoints enabledLearn
49app-006Microsoft.Web/sitesGovernanceLowApp Service Name should comply with naming conventionsLearn
50app-007Microsoft.Web/sitesSecurityHighApp Service should use HTTPS onlyLearn
51app-008Microsoft.Web/sitesGovernanceLowApp Service should have tagsLearn
52app-009Microsoft.Web/sitesSecurityMediumApp Service should use VNET integrationLearn
53app-010Microsoft.Web/sitesSecurityMediumApp Service should have VNET Route all enabled for VNET integrationLearn
54app-011Microsoft.Web/sitesSecurityHighApp Service should use TLS 1.2Learn
55app-012Microsoft.Web/sitesSecurityHighApp Service remote debugging should be disabledLearn
56app-013Microsoft.Web/sitesSecurityHighApp Service should not allow insecure FTPLearn
57app-014Microsoft.Web/sitesScalabilityHighApp Service should have Always On enabledLearn
58app-015Microsoft.Web/sitesHighAvailabilityMediumApp Service should avoid using Client AffinityLearn
59app-016Microsoft.Web/sitesSecurityMediumApp Service should use Managed IdentitiesLearn
60appcs-001Microsoft.AppConfiguration/configurationStoresMonitoringAndAlertingLowAppConfiguration should have diagnostic settings enabledLearn
61appcs-003Microsoft.AppConfiguration/configurationStoresHighAvailabilityHighAppConfiguration should have a SLALearn
62appcs-004Microsoft.AppConfiguration/configurationStoresSecurityHighAppConfiguration should have private endpoints enabledLearn
63appcs-006Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration Name should comply with naming conventionsLearn
64appcs-007Microsoft.AppConfiguration/configurationStoresGovernanceLowAppConfiguration should have tagsLearn
65appcs-008Microsoft.AppConfiguration/configurationStoresSecurityMediumAppConfiguration should have local authentication disabledLearn
66appi-001Microsoft.Insights/componentsHighAvailabilityHighAzure Application Insights SLALearn
67appi-002Microsoft.Insights/componentsGovernanceLowAzure Application Insights Name should comply with naming conventionsLearn
68appi-003Microsoft.Insights/componentsGovernanceLowAzure Application Insights should have tagsLearn
69as-001Microsoft.AnalysisServices/serversMonitoringAndAlertingLowAzure Analysis Service should have diagnostic settings enabledLearn
70as-002Microsoft.AnalysisServices/serversHighAvailabilityHighAzure Analysis Service should have a SLALearn
71as-004Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service Name should comply with naming conventionsLearn
72as-005Microsoft.AnalysisServices/serversGovernanceLowAzure Analysis Service should have tagsLearn
73asp-001Microsoft.Web/serverfarmsMonitoringAndAlertingLowPlan should have diagnostic settings enabledLearn
74asp-003Microsoft.Web/serverfarmsHighAvailabilityHighPlan should have a SLALearn
75asp-006Microsoft.Web/serverfarmsGovernanceLowPlan Name should comply with naming conventionsLearn
76asp-007Microsoft.Web/serverfarmsGovernanceLowPlan should have tagsLearn
77ca-003Microsoft.App/containerAppsHighAvailabilityHighContainerApp should have a SLALearn
78ca-006Microsoft.App/containerAppsGovernanceLowContainerApp Name should comply with naming conventionsLearn
79ca-007Microsoft.App/containerAppsGovernanceLowContainerApp should have tagsLearn
80ca-008Microsoft.App/containerAppsSecurityLowContainerApp should not allow insecure ingress trafficLearn
81ca-009Microsoft.App/containerAppsSecurityLowContainerApp should use Managed IdentitiesLearn
82ca-010Microsoft.App/containerAppsHighAvailabilityLowContainerApp should use Azure Files to persist container dataLearn
83ca-011Microsoft.App/containerAppsHighAvailabilityLowContainerApp should avoid using session affinityLearn
84cae-001Microsoft.App/managedenvironmentsMonitoringAndAlertingLowContainer Apps Environment should have diagnostic settings enabledLearn
85cae-003Microsoft.App/managedenvironmentsHighAvailabilityHighContainer Apps Environment should have a SLALearn
86cae-004Microsoft.App/managedenvironmentsSecurityHighContainer Apps Environment should have private endpoints enabledLearn
87cae-006Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment Name should comply with naming conventionsLearn
88cae-007Microsoft.App/managedenvironmentsGovernanceLowContainer Apps Environment should have tagsLearn
89ci-002Microsoft.ContainerInstance/containerGroupsHighAvailabilityHighContainerInstance should have availability zones enabledLearn
90ci-003Microsoft.ContainerInstance/containerGroupsHighAvailabilityHighContainerInstance should have a SLALearn
91ci-004Microsoft.ContainerInstance/containerGroupsSecurityHighContainerInstance should use private IP addressesLearn
92ci-006Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance Name should comply with naming conventionsLearn
93ci-007Microsoft.ContainerInstance/containerGroupsGovernanceLowContainerInstance should have tagsLearn
94cosmos-001Microsoft.DocumentDB/databaseAccountsMonitoringAndAlertingLowCosmosDB should have diagnostic settings enabledLearn
95cosmos-003Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighCosmosDB should have a SLALearn
96cosmos-004Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have private endpoints enabledLearn
97cosmos-006Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB Name should comply with naming conventionsLearn
98cosmos-007Microsoft.DocumentDB/databaseAccountsGovernanceLowCosmosDB should have tagsLearn
99cosmos-008Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB should have local authentication disabledLearn
100cosmos-009Microsoft.DocumentDB/databaseAccountsSecurityHighCosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keysLearn
101cr-001Microsoft.ContainerRegistry/registriesMonitoringAndAlertingLowContainerRegistry should have diagnostic settings enabledLearn
102cr-003Microsoft.ContainerRegistry/registriesHighAvailabilityHighContainerRegistry should have a SLALearn
103cr-004Microsoft.ContainerRegistry/registriesSecurityHighContainerRegistry should have private endpoints enabledLearn
104cr-006Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry Name should comply with naming conventionsLearn
105cr-008Microsoft.ContainerRegistry/registriesSecurityMediumContainerRegistry should have the Administrator account disabledLearn
106cr-009Microsoft.ContainerRegistry/registriesGovernanceLowContainerRegistry should have tagsLearn
107cr-010Microsoft.ContainerRegistry/registriesGovernanceMediumContainerRegistry should use retention policiesLearn
108dbw-001Microsoft.Databricks/workspacesMonitoringAndAlertingLowAzure Databricks should have diagnostic settings enabledLearn
109dbw-003Microsoft.Databricks/workspacesHighAvailabilityHighAzure Databricks should have a SLALearn
110dbw-004Microsoft.Databricks/workspacesSecurityHighAzure Databricks should have private endpoints enabledLearn
111dbw-006Microsoft.Databricks/workspacesGovernanceLowAzure Databricks Name should comply with naming conventionsLearn
112dbw-007Microsoft.Databricks/workspacesSecurityMediumAzure Databricks should have the Public IP disabledLearn
113dec-001Microsoft.Kusto/clustersMonitoringAndAlertingLowAzure Data Explorer should have diagnostic settings enabledLearn
114dec-002Microsoft.Kusto/clustersHighAvailabilityHighAzure Data Explorer SLALearn
115dec-003Microsoft.Kusto/clustersHighAvailabilityHighAzure Data Explorer Production Cluster should not use Dev SKULearn
116dec-004Microsoft.Kusto/clustersSecurityHighAzure Data Explorer should have private endpoints enabledLearn
117dec-005Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer should have tagsLearn
118dec-006Microsoft.Kusto/clustersGovernanceLowAzure Data Explorer Name should comply with naming conventionsLearn
119dec-008Microsoft.Kusto/clustersSecurityHighAzure Data Explorer should use Disk EncryptionLearn
120dec-009Microsoft.Kusto/clustersSecurityLowAzure Data Explorer should use Managed IdentitiesLearn
121evgd-001Microsoft.EventGrid/domainsMonitoringAndAlertingLowEvent Grid Domain should have diagnostic settings enabledLearn
122evgd-003Microsoft.EventGrid/domainsHighAvailabilityHighEvent Grid Domain should have a SLALearn
123evgd-004Microsoft.EventGrid/domainsSecurityHighEvent Grid Domain should have private endpoints enabledLearn
124evgd-006Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain Name should comply with naming conventionsLearn
125evgd-007Microsoft.EventGrid/domainsGovernanceLowEvent Grid Domain should have tagsLearn
126evgd-008Microsoft.EventGrid/domainsSecurityMediumEvent Grid Domain should have local authentication disabledLearn
127evh-001Microsoft.EventHub/namespacesMonitoringAndAlertingLowEvent Hub Namespace should have diagnostic settings enabledLearn
128evh-003Microsoft.EventHub/namespacesHighAvailabilityHighEvent Hub Namespace should have a SLALearn
129evh-004Microsoft.EventHub/namespacesSecurityHighEvent Hub Namespace should have private endpoints enabledLearn
130evh-006Microsoft.EventHub/namespacesGovernanceLowEvent Hub Namespace Name should comply with naming conventionsLearn
131evh-007Microsoft.EventHub/namespacesGovernanceLowEvent Hub should have tagsLearn
132evh-008Microsoft.EventHub/namespacesSecurityMediumEvent Hub should have local authentication disabledLearn
133func-001Microsoft.Web/sitesMonitoringAndAlertingLowFunction should have diagnostic settings enabledLearn
134func-004Microsoft.Web/sitesSecurityHighFunction should have private endpoints enabledLearn
135func-006Microsoft.Web/sitesGovernanceLowFunction Name should comply with naming conventionsLearn
136func-007Microsoft.Web/sitesSecurityHighFunction should use HTTPS onlyLearn
137func-008Microsoft.Web/sitesGovernanceLowFunction should have tagsLearn
138func-009Microsoft.Web/sitesSecurityMediumFunction should use VNET integrationLearn
139func-010Microsoft.Web/sitesSecurityMediumFunction should have VNET Route all enabled for VNET integrationLearn
140func-011Microsoft.Web/sitesSecurityMediumFunction should use TLS 1.2Learn
141func-012Microsoft.Web/sitesSecurityMediumFunction remote debugging should be disabledLearn
142func-013Microsoft.Web/sitesHighAvailabilityMediumFunction should avoid using Client AffinityLearn
143func-014Microsoft.Web/sitesSecurityMediumFunction should use Managed IdentitiesLearn
144hub-001Microsoft.MachineLearningServices/workspacesGovernanceLowService name should comply with naming conventionsLearn
145hub-002Microsoft.MachineLearningServices/workspacesHighAvailabilityHighService SLALearn
146hub-003Microsoft.MachineLearningServices/workspacesGovernanceLowService should have tagsLearn
147hub-004Microsoft.MachineLearningServices/workspacesSecurityHighService should disable public network accessLearn
148hub-005Microsoft.MachineLearningServices/workspacesSecurityHighService should have private enpoints enabledLearn
149hub-006Microsoft.MachineLearningServices/workspacesMonitoringAndAlertingLowService should have diagnostic settings enabledLearn
150it-006Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template Name should comply with naming conventionsLearn
151it-007Microsoft.VirtualMachineImages/imageTemplatesGovernanceLowImage Template should have tagsLearn
152kv-001Microsoft.KeyVault/vaultsMonitoringAndAlertingLowKey Vault should have diagnostic settings enabledLearn
153kv-003Microsoft.KeyVault/vaultsHighAvailabilityHighKey Vault should have a SLALearn
154kv-006Microsoft.KeyVault/vaultsGovernanceLowKey Vault Name should comply with naming conventionsLearn
155kv-007Microsoft.KeyVault/vaultsGovernanceLowKey Vault should have tagsLearn
156lb-001Microsoft.Network/loadBalancersMonitoringAndAlertingLowLoad Balancer should have diagnostic settings enabledLearn
157lb-003Microsoft.Network/loadBalancersHighAvailabilityHighLoad Balancer should have a SLALearn
158lb-006Microsoft.Network/loadBalancersGovernanceLowLoad Balancer Name should comply with naming conventionsLearn
159lb-007Microsoft.Network/loadBalancersGovernanceLowLoad Balancer should have tagsLearn
160log-003Microsoft.OperationalInsights/workspacesHighAvailabilityHighLog Analytics Workspace SLALearn
161log-006Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace Name should comply with naming conventionsLearn
162log-007Microsoft.OperationalInsights/workspacesGovernanceLowLog Analytics Workspace should have tagsLearn
163logic-001Microsoft.Logic/workflowsMonitoringAndAlertingLowLogic App should have diagnostic settings enabledLearn
164logic-003Microsoft.Logic/workflowsHighAvailabilityHighLogic App should have a SLALearn
165logic-004Microsoft.Logic/workflowsSecurityHighLogic App should limit access to Http TriggersLearn
166logic-006Microsoft.Logic/workflowsGovernanceLowLogic App Name should comply with naming conventionsLearn
167logic-007Microsoft.Logic/workflowsGovernanceLowLogic App should have tagsLearn
168logics-001Microsoft.Web/sitesMonitoringAndAlertingLowLogic App should have diagnostic settings enabledLearn
169logics-004Microsoft.Web/sitesSecurityHighLogic App should have private endpoints enabledLearn
170logics-006Microsoft.Web/sitesGovernanceLowLogic App Name should comply with naming conventionsLearn
171logics-007Microsoft.Web/sitesSecurityHighLogic App should use HTTPS onlyLearn
172logics-008Microsoft.Web/sitesGovernanceLowLogic App should have tagsLearn
173logics-009Microsoft.Web/sitesSecurityMediumLogic App should use VNET integrationLearn
174logics-010Microsoft.Web/sitesSecurityMediumLogic App should have VNET Route all enabled for VNET integrationLearn
175logics-011Microsoft.Web/sitesSecurityMediumLogic App should use TLS 1.2Learn
176logics-012Microsoft.Web/sitesSecurityMediumLogic App remote debugging should be disabledLearn
177logics-013Microsoft.Web/sitesHighAvailabilityMediumLogic App should avoid using Client AffinityLearn
178logics-014Microsoft.Web/sitesSecurityMediumLogic App should use Managed IdentitiesLearn
179maria-001Microsoft.DBforMariaDB/serversMonitoringAndAlertingLowMariaDB should have diagnostic settings enabledLearn
180maria-002Microsoft.DBforMariaDB/serversSecurityHighMariaDB should have private endpoints enabledLearn
181maria-003Microsoft.DBforMariaDB/serversGovernanceLowMariaDB server Name should comply with naming conventionsLearn
182maria-004Microsoft.DBforMariaDB/serversHighAvailabilityHighMariaDB server should have a SLALearn
183maria-005Microsoft.DBforMariaDB/serversGovernanceLowMariaDB should have tagsLearn
184maria-006Microsoft.DBforMariaDB/serversSecurityLowMariaDB should enforce TLS >= 1.2Learn
185mysql-001Microsoft.DBforMySQL/serversMonitoringAndAlertingLowAzure Database for MySQL - Single Server should have diagnostic settings enabledLearn
186mysql-003Microsoft.DBforMySQL/serversHighAvailabilityHighAzure Database for MySQL - Single Server should have a SLALearn
187mysql-004Microsoft.DBforMySQL/serversSecurityHighAzure Database for MySQL - Single Server should have private endpoints enabledLearn
188mysql-006Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server Name should comply with naming conventionsLearn
189mysql-007Microsoft.DBforMySQL/serversHighAvailabilityHighAzure Database for MySQL - Single Server is on the retirement pathLearn
190mysql-008Microsoft.DBforMySQL/serversGovernanceLowAzure Database for MySQL - Single Server should have tagsLearn
191mysqlf-001Microsoft.DBforMySQL/flexibleServersMonitoringAndAlertingLowAzure Database for MySQL - Flexible Server should have diagnostic settings enabledLearn
192mysqlf-003Microsoft.DBforMySQL/flexibleServersHighAvailabilityHighAzure Database for MySQL - Flexible Server should have a SLALearn
193mysqlf-004Microsoft.DBforMySQL/flexibleServersSecurityHighAzure Database for MySQL - Flexible Server should have private access enabledLearn
194mysqlf-006Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server Name should comply with naming conventionsLearn
195mysqlf-007Microsoft.DBforMySQL/flexibleServersGovernanceLowAzure Database for MySQL - Flexible Server should have tagsLearn
196ng-001Microsoft.Network/natGatewaysMonitoringAndAlertingLowNAT Gateway should have diagnostic settings enabledLearn
197ng-003Microsoft.Network/natGatewaysHighAvailabilityHighNAT Gateway SLALearn
198ng-006Microsoft.Network/natGatewaysGovernanceLowNAT Gateway Name should comply with naming conventionsLearn
199ng-007Microsoft.Network/natGatewaysGovernanceLowNAT Gateway should have tagsLearn
200nsg-001Microsoft.Network/networkSecurityGroupsMonitoringAndAlertingLowNSG should have diagnostic settings enabledLearn
201nsg-003Microsoft.Network/networkSecurityGroupsHighAvailabilityHighNSG SLALearn
202nsg-006Microsoft.Network/networkSecurityGroupsGovernanceLowNSG Name should comply with naming conventionsLearn
203nsg-007Microsoft.Network/networkSecurityGroupsGovernanceLowNSG should have tagsLearn
204nw-003Microsoft.Network/networkWatchersHighAvailabilityHighNetwork Watcher SLALearn
205nw-006Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher Name should comply with naming conventionsLearn
206nw-007Microsoft.Network/networkWatchersGovernanceLowNetwork Watcher should have tagsLearn
207pep-003Microsoft.Network/privateEndpointsHighAvailabilityHighPrivate Endpoint SLALearn
208pep-006Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint Name should comply with naming conventionsLearn
209pep-007Microsoft.Network/privateEndpointsGovernanceLowPrivate Endpoint should have tagsLearn
210pip-003Microsoft.Network/publicIPAddressesHighAvailabilityHighPublic IP SLALearn
211pip-006Microsoft.Network/publicIPAddressesGovernanceLowPublic IP Name should comply with naming conventionsLearn
212pip-007Microsoft.Network/publicIPAddressesGovernanceLowPublic IP should have tagsLearn
213psql-001Microsoft.DBforPostgreSQL/serversMonitoringAndAlertingLowPostgreSQL should have diagnostic settings enabledLearn
214psql-003Microsoft.DBforPostgreSQL/serversHighAvailabilityHighPostgreSQL should have a SLALearn
215psql-004Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should have private endpoints enabledLearn
216psql-006Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
217psql-007Microsoft.DBforPostgreSQL/serversGovernanceLowPostgreSQL should have tagsLearn
218psql-008Microsoft.DBforPostgreSQL/serversSecurityHighPostgreSQL should enforce SSLLearn
219psql-009Microsoft.DBforPostgreSQL/serversSecurityLowPostgreSQL should enforce TLS >= 1.2Learn
220psqlf-001Microsoft.DBforPostgreSQL/flexibleServersMonitoringAndAlertingLowPostgreSQL should have diagnostic settings enabledLearn
221psqlf-003Microsoft.DBforPostgreSQL/flexibleServersHighAvailabilityHighPostgreSQL should have a SLALearn
222psqlf-004Microsoft.DBforPostgreSQL/flexibleServersSecurityHighPostgreSQL should have private access enabledLearn
223psqlf-006Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL Name should comply with naming conventionsLearn
224psqlf-007Microsoft.DBforPostgreSQL/flexibleServersGovernanceLowPostgreSQL should have tagsLearn
225redis-001Microsoft.Cache/RedisMonitoringAndAlertingLowRedis should have diagnostic settings enabledLearn
226redis-003Microsoft.Cache/RedisHighAvailabilityHighRedis should have a SLALearn
227redis-006Microsoft.Cache/RedisGovernanceLowRedis Name should comply with naming conventionsLearn
228redis-007Microsoft.Cache/RedisGovernanceLowRedis should have tagsLearn
229redis-008Microsoft.Cache/RedisSecurityHighRedis should not enable non SSL portsLearn
230redis-009Microsoft.Cache/RedisSecurityLowRedis should enforce TLS >= 1.2Learn
231sb-001Microsoft.ServiceBus/namespacesMonitoringAndAlertingLowService Bus should have diagnostic settings enabledLearn
232sb-003Microsoft.ServiceBus/namespacesHighAvailabilityHighService Bus should have a SLALearn
233sb-004Microsoft.ServiceBus/namespacesSecurityHighService Bus should have private endpoints enabledLearn
234sb-006Microsoft.ServiceBus/namespacesGovernanceLowService Bus Name should comply with naming conventionsLearn
235sb-007Microsoft.ServiceBus/namespacesGovernanceLowService Bus should have tagsLearn
236sb-008Microsoft.ServiceBus/namespacesSecurityMediumService Bus should have local authentication disabledLearn
237sigr-001Microsoft.SignalRService/SignalRMonitoringAndAlertingLowSignalR should have diagnostic settings enabledLearn
238sigr-003Microsoft.SignalRService/SignalRHighAvailabilityHighSignalR should have a SLALearn
239sigr-004Microsoft.SignalRService/SignalRSecurityHighSignalR should have private endpoints enabledLearn
240sigr-006Microsoft.SignalRService/SignalRGovernanceLowSignalR Name should comply with naming conventionsLearn
241sigr-007Microsoft.SignalRService/SignalRGovernanceLowSignalR should have tagsLearn
242sql-004Microsoft.Sql/serversSecurityHighSQL should have private endpoints enabledLearn
243sql-006Microsoft.Sql/serversGovernanceLowSQL Name should comply with naming conventionsLearn
244sql-007Microsoft.Sql/serversGovernanceLowSQL should have tagsLearn
245sql-008Microsoft.Sql/serversSecurityLowSQL should enforce TLS >= 1.2Learn
246sqldb-001Microsoft.Sql/servers/databasesMonitoringAndAlertingLowSQL Database should have diagnostic settings enabledLearn
247sqldb-003Microsoft.Sql/servers/databasesHighAvailabilityHighSQL Database should have a SLALearn
248sqldb-006Microsoft.Sql/servers/databasesGovernanceLowSQL Database Name should comply with naming conventionsLearn
249sqldb-007Microsoft.Sql/servers/databasesGovernanceLowSQL Database should have tagsLearn
250sqlep-002Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool Name should comply with naming conventionsLearn
251sqlep-003Microsoft.Sql/servers/elasticPoolsGovernanceLowSQL Elastic Pool should have tagsLearn
252srch-001Microsoft.Search/searchServicesGovernanceLowAzure AI Search name should comply with naming conventionsLearn
253srch-002Microsoft.Search/searchServicesHighAvailabilityHighAzure AI Search SLALearn
254srch-003Microsoft.Search/searchServicesGovernanceLowAzure AI Search should have tagsLearn
255srch-004Microsoft.Search/searchServicesSecurityHighAzure AI Search should disable public network accessLearn
256srch-005Microsoft.Search/searchServicesSecurityHighAzure AI Search should have private enpoints enabledLearn
257srch-006Microsoft.Search/searchServicesMonitoringAndAlertingLowAzure AI Search should have diagnostic settings enabledLearn
258st-001Microsoft.Storage/storageAccountsMonitoringAndAlertingLowStorage should have diagnostic settings enabledLearn
259st-003Microsoft.Storage/storageAccountsHighAvailabilityHighStorage should have a SLALearn
260st-006Microsoft.Storage/storageAccountsGovernanceLowStorage Name should comply with naming conventionsLearn
261st-007Microsoft.Storage/storageAccountsSecurityHighStorage Account should use HTTPS onlyLearn
262st-008Microsoft.Storage/storageAccountsGovernanceLowStorage Account should have tagsLearn
263st-009Microsoft.Storage/storageAccountsSecurityLowStorage Account should enforce TLS >= 1.2Learn
264st-010Microsoft.Storage/storageAccountsDisasterRecoveryLowStorage Account should have inmutable storage versioning enabledLearn
265st-011Microsoft.Storage/storageAccountsDisasterRecoveryMediumStorage Account should have soft delete enabledLearn
266syndp-001Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool Name should comply with naming conventionsLearn
267syndp-002Microsoft.Synapse/workspaces/sqlPoolsHighAvailabilityHighAzure Synapse Dedicated SQL Pool SLALearn
268syndp-003Microsoft.Synapse/workspaces/sqlPoolsGovernanceLowAzure Synapse Dedicated SQL Pool should have tagsLearn
269synsp-001Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool Name should comply with naming conventionsLearn
270synsp-002Microsoft.Synapse workspaces/bigDataPoolsHighAvailabilityHighAzure Synapse Spark Pool SLALearn
271synsp-003Microsoft.Synapse workspaces/bigDataPoolsGovernanceLowAzure Synapse Spark Pool should have tagsLearn
272synw-001Microsoft.Synapse/workspacesMonitoringAndAlertingLowAzure Synapse Workspace should have diagnostic settings enabledLearn
273synw-002Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should have private endpoints enabledLearn
274synw-003Microsoft.Synapse/workspacesHighAvailabilityHighAzure Synapse Workspace SLALearn
275synw-004Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace Name should comply with naming conventionsLearn
276synw-005Microsoft.Synapse/workspacesGovernanceLowAzure Synapse Workspace should have tagsLearn
277synw-006Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should establish network segmentation boundariesLearn
278synw-007Microsoft.Synapse/workspacesSecurityHighAzure Synapse Workspace should disable public network accessLearn
279traf-001Microsoft.Network/trafficManagerProfilesMonitoringAndAlertingLowTraffic Manager should have diagnostic settings enabledLearn
280traf-002Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager should have availability zones enabledLearn
281traf-003Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager should have a SLALearn
282traf-006Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager Name should comply with naming conventionsLearn
283traf-007Microsoft.Network/trafficManagerProfilesGovernanceLowTraffic Manager should have tagsLearn
284traf-009Microsoft.Network/trafficManagerProfilesSecurityHighTraffic Manager: HTTP endpoints should be monitored using HTTPSLearn
285udr-003Microsoft.Network/routeTablesHighAvailabilityHighRout Table SLALearn
286udr-006Microsoft.Network/routeTablesGovernanceLowRout Table Name should comply with naming conventionsLearn
287udr-007Microsoft.Network/routeTablesGovernanceLowRout Table should have tagsLearn
288vgw-001Microsoft.Network/virtualNetworkGatewaysMonitoringAndAlertingLowVirtual Network Gateway should have diagnostic settings enabledLearn
289vgw-002Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway Name should comply with naming conventionsLearn
290vgw-003Microsoft.Network/virtualNetworkGatewaysGovernanceLowVirtual Network Gateway should have tagsLearn
291vgw-004Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighVirtual Network Gateway should have a SLALearn
292vgw-005Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighStorage should have availability zones enabledLearn
293vm-003Microsoft.Compute/virtualMachinesHighAvailabilityHighVirtual Machine should have a SLALearn
294vm-006Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine Name should comply with naming conventionsLearn
295vm-007Microsoft.Compute/virtualMachinesGovernanceLowVirtual Machine should have tagsLearn
296vmss-003Microsoft.Compute/virtualMachineScaleSetsHighAvailabilityHighVirtual Machine should have a SLALearn
297vmss-004Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set Name should comply with naming conventionsLearn
298vmss-005Microsoft.Compute/virtualMachineScaleSetsGovernanceLowVirtual Machine Scale Set should have tagsLearn
299vnet-001Microsoft.Network/virtualNetworksMonitoringAndAlertingLowVirtual Network should have diagnostic settings enabledLearn
300vnet-006Microsoft.Network/virtualNetworksGovernanceLowVirtual Network Name should comply with naming conventionsLearn
301vnet-007Microsoft.Network/virtualNetworksGovernanceLowVirtual Network should have tagsLearn
302vnet-009Microsoft.Network/virtualNetworksHighAvailabilityHighVirtual Network should have at least two DNS servers assignedLearn
303vwa-001Microsoft.Network/virtualWansMonitoringAndAlertingMediumVirtual WAN should have diagnostic settings enabledLearn
304vwa-002Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN should have availability zones enabledLearn
305vwa-003Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN should have a SLALearn
306vwa-005Microsoft.Network/virtualWansHighAvailabilityHighVirtual WAN TypeLearn
307vwa-006Microsoft.Network/virtualWansGovernanceLowVirtual WAN Name should comply with naming conventionsLearn
308vwa-007Microsoft.Network/virtualWansGovernanceLowVirtual WAN should have tagsLearn
309wps-001Microsoft.SignalRService/webPubSubMonitoringAndAlertingLowWeb Pub Sub should have diagnostic settings enabledLearn
310wps-002Microsoft.SignalRService/webPubSubHighAvailabilityHighWeb Pub Sub should have availability zones enabledLearn
311wps-003Microsoft.SignalRService/webPubSubHighAvailabilityHighWeb Pub Sub should have a SLALearn
312wps-004Microsoft.SignalRService/webPubSubSecurityHighWeb Pub Sub should have private endpoints enabledLearn
313wps-006Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub Name should comply with naming conventionsLearn
314wps-007Microsoft.SignalRService/webPubSubGovernanceLowWeb Pub Sub should have tagsLearn
315005ccbbd-aeab-46ef-80bd-9bd4479412ecMicrosoft.ContainerService/managedClustersHighAvailabilityHighConfigure user nodepool countLearn
31600c3d2b0-ea6e-4c4b-89be-b78a35caeb51Microsoft.KeyVault/vaultsSecurityMediumPrivate endpoint should be configured for Key VaultLearn
317029208c8-5186-4a76-8ee8-6e3445fef4ddMicrosoft.AVS/privateCloudsMonitoringAndAlertingHighMonitor Memory Utilization to ensure sufficient resources for workloadsLearn
31803f4a7d8-c5b4-7842-8e6e-14997a34842bMicrosoft.ContainerRegistry/registriesOtherBestPracticesMediumDisable anonymous pull accessLearn
3190611251f-e70f-4243-8ddd-cfe894bec2e7Microsoft.ContainerService/managedClustersHighAvailabilityHighUpdate AKS tier to Standard or PremiumLearn
32006b77be9-56a3-4d41-b362-8b295c5a283dMicrosoft.Network/virtualNetworksMonitoringAndAlertingMediumEnable Virtual Network Flow LogsLearn
32107243659-4643-d44c-a1c6-07ac21635072Microsoft.Web/serverFarmsScalabilityMediumAvoid scaling up or downLearn
3220b80b67c-afbe-4988-ad58-a85a146b681eMicrosoft.Web/sitesOtherBestPracticesMediumStore configuration as app settings for Web SitesLearn
3230bee356b-7348-4799-8cab-0c71ffe13018Microsoft.Network/ExpressRoutePortsScalabilityMediumEnsure ExpressRoute Direct is not over-subscribedLearn
3240d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5aMicrosoft.Network/frontDoorWebApplicationFirewallPoliciesGovernanceMediumFront Door WAF Policy without associationsLearn
32510f02bc6-e2e7-004d-a2c2-f9bf9f16b915Microsoft.Network/applicationGatewaysHighAvailabilityMediumPlan for backend maintenance by using connection drainingLearn
326122d11d7-b91f-8747-a562-f56b79bcfbdcMicrosoft.Compute/virtualMachinesHighAvailabilityHighUse Managed Disks for VM disksLearn
32713794a63-8d95-47ce-acbd-5925ede5b208Microsoft.MachineLearningServices/workspacesDisasterRecoveryHighEnsure to create Machine Learning Compute resources in secondary regionLearn
3281422c567-782c-7148-ac7c-5fc14cf45adcMicrosoft.Compute/virtualMachineScaleSetsHighAvailabilityHighDeploy VMSS across availability zones with VMSS FlexLearn
3291549b91f-2ea0-4d4f-ba2a-4596becbe3deMicrosoft.RecoveryServices/vaultsDisasterRecoveryMediumEnable Cross Region Restore for your GRS Recovery Services VaultLearn
33017e877f7-3a89-4205-8a24-0670de54ddcdMicrosoft.Compute/virtualMachinesDisasterRecoveryHighValidate VM functionality with a Site Recovery test failover to check performance at targetLearn
3311981f704-97b9-b645-9c57-33f8ded9261aMicrosoft.Compute/virtualMachinesDisasterRecoveryMediumBackup VMs with Azure Backup serviceLearn
3321a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6dMicrosoft.Web/serverFarmsGovernanceMediumApp Service plans without hosting AppsLearn
3331ad9d7b7-9692-1441-a8f4-93792efbe97aMicrosoft.Network/trafficManagerProfilesDisasterRecoveryMediumConfigure at least one endpoint within a another regionLearn
3341adba190-5c4c-e646-8527-dd1b2a6d8b15Microsoft.Network/publicIPAddressesHighAvailabilityMediumUse NAT gateway for outbound connectivity to avoid SNAT ExhaustionLearn
3351b2dbf4a-8a0b-5e4b-8f4e-3f758188910dMicrosoft.Network/azureFirewallsSecurityHighConfigure DDoS Protection on the Azure Firewall VNetLearn
3361bd2b7e8-400f-e64a-99a2-c572f7b08a62Microsoft.Cdn/profilesSecurityMediumEnable the WAFLearn
3371c2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6fMicrosoft.Resources/resourceGroupsGovernanceMediumResource Groups without resourcesLearn
3381c5e1e58-4e56-491c-8529-10f37af9d4edMicrosoft.Compute/galleriesHighAvailabilityLowConsider creating TrustedLaunchSupported images where possibleLearn
3391cca00d2-d9ab-8e42-a788-5d40f49405cbMicrosoft.KeyVault/vaultsDisasterRecoveryHighKey vaults should have soft delete enabledLearn
3401e2f3a4b-5c6d-7e8f-9a0b-1c2d3e4f5a6bMicrosoft.Network/trafficManagerProfilesGovernanceMediumTraffic Manager without endpointsLearn
3412102a57a-a056-4d5e-afe5-9df9f92177caMicrosoft.AppConfiguration/configurationStoresHighAvailabilityHighUpgrade to App Configuration Standard tierLearn
34221fb841b-ba70-1f4e-a460-1f72fb41aa51Microsoft.VirtualMachineImages/imageTemplatesDisasterRecoveryLowReplicate your Image Templates to a secondary regionLearn
343233a7008-71e9-e745-923e-1a1c7a0b92f3Microsoft.Network/applicationGatewaysSecurityHighSecure all incoming connections with SSLLearn
34423b2dfc7-7e5d-9443-9f62-980ca621b561Microsoft.Network/routeTablesMonitoringAndAlertingMediumMonitor changes in Route Tables with Azure MonitorLearn
34524ab9f11-a3e4-3043-a985-22cf94c4933aMicrosoft.Cdn/profilesSecurityHighUse HTTP to HTTPS redirectionLearn
34624ae3773-cc2c-3649-88de-c9788e25b463Microsoft.Network/virtualNetworksSecurityMediumWhen available, use Private Endpoints instead of Service Endpoints for PaaS ServicesLearn
347269a9f1a-6675-460a-831e-b05a887a8c4bMicrosoft.ContainerService/managedClustersDisasterRecoveryLowBack up Azure Kubernetes ServiceLearn
34826ebaf1f-c70d-4ebd-8641-4b60a0ce0094Microsoft.ContainerService/managedClustersOtherBestPracticesLowEnable and remediate Azure Policies configured for AKSLearn
349273f6b30-68e0-4241-85ea-acf15ffb60bfMicrosoft.Compute/virtualMachinesHighAvailabilityHighRun production workloads on two or more VMs using VMSS FlexLearn
350281a2713-c0e0-3c48-b596-19f590c46671Microsoft.Network/virtualNetworkGatewaysHighAvailabilityMediumEnable Active-Active VPN Gateways for redundancyLearn
3512912472d-0198-4bdc-aa90-37f145790edcMicrosoft.RecoveryServices/vaultsMonitoringAndAlertingMediumMigrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services VaultsLearn
3522ab85a67-26be-4ed2-a0bb-101b2513ec63Microsoft.DBforPostgreSQL/flexibleServersDisasterRecoveryHighConfigure one or more read replicasLearn
3532ad78dec-5a4d-4a30-8fd1-8584335ad781Microsoft.Storage/storageAccountsScalabilityLowConsider upgrading legacy storage accounts to v2 storage accountsLearn
3542b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7eMicrosoft.Compute/availabilitySetsGovernanceMediumAvailability Sets not associated to any VM or VMSSLearn
3552bd0be95-a825-6f47-a8c6-3db1fb5eb387Microsoft.Compute/virtualMachinesHighAvailabilityHighDeploy VMs across Availability ZonesLearn
3562d3e4f5a-6b7c-8d9e-0f1a-2b3c4d5e6f7aMicrosoft.Web/connectionsGovernanceMediumAPI Connections not related to any Logic AppLearn
3572f3a4b5c-6d7e-8f9a-0b1c-2d3e4f5a6b7cMicrosoft.Network/applicationGatewaysGovernanceMediumApplication Gateways without backend targetsLearn
358302fda08-ee65-4fbe-a916-6dc0b33169c4Microsoft.Compute/virtualMachinesHighAvailabilityHighReserve Compute Capacity for critical workloadsLearn
35931f4ac4b-29cb-4588-8de2-d8fe6f13ceb3Microsoft.DBforPostgreSQL/flexibleServersDisasterRecoveryHighConfigure geo redundant backup storageLearn
3603201dba8-d1da-4826-98a4-104066545170Microsoft.Compute/virtualMachinesScalabilityHighDon’t use A or B-Series VMs for production needing constant full CPU performanceLearn
3613263a64a-c256-de48-9818-afd3cbc55c2aMicrosoft.Compute/disksOtherBestPracticesMediumShared disks should only be enabled in clustered serversLearn
36236ea6c09-ef6e-d743-9cfb-bd0c928a430bMicrosoft.ContainerRegistry/registriesDisasterRecoveryHighCreate container registries with geo-replication enabledLearn
36338c3bca1-97a1-eb42-8cd3-838b243f35baMicrosoft.Network/loadBalancersHighAvailabilityHighUse Standard Load Balancer SKULearn
3643a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8dMicrosoft.Network/virtualNetworksGovernanceMediumVirtual Networks without subnetsLearn
3653c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8fMicrosoft.Compute/disksGovernanceMediumManaged Disks with ‘Unattached’ stateLearn
3663c8fa7c6-6b78-a24a-a63f-348a7c71acb9Microsoft.Network/azureFirewallsMonitoringAndAlertingHighMonitor Azure Firewall metricsLearn
3673e115044-a3aa-433e-be01-ce17d67e50daMicrosoft.Network/virtualNetworkGatewaysHighAvailabilityMediumConfigure customer-controlled ExpressRoute gateway maintenanceLearn
3683e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8bMicrosoft.Web/certificatesGovernanceMediumExpired certificatesLearn
3693ef86f16-f65b-c645-9901-7830d6dc3a1bMicrosoft.ContainerRegistry/registriesScalabilityMediumManage registry sizeLearn
3703f85a51c-e286-9f44-b4dc-51d00768696cMicrosoft.Compute/virtualMachineScaleSetsScalabilityLowEnable Predictive autoscale and configure at least for Forecast OnlyLearn
37141a22a5e-5e08-9647-92d0-2ffe9ef1bdadMicrosoft.Compute/virtualMachinesOtherBestPracticesMediumIP Forwarding should only be enabled for Network Virtual AppliancesLearn
3724232eb32-3241-4049-9e14-9b8005817b56Microsoft.AVS/privateCloudsMonitoringAndAlertingHighConfigure Azure Monitor Alert warning thresholds for vSAN datastore utilizationLearn
37343663217-a1d3-844b-80ea-571a2ce37c6cMicrosoft.DocumentDB/databaseAccountsHighAvailabilityHighConfigure at least two regions for high availabilityLearn
37448ea6480-6263-40ba-8937-326d790e63f6Microsoft.MachineLearningServices/workspacesOtherBestPracticesHighMake Azure Machine Learning quota requests through the Azure Machine Learning StudioLearn
3754b5c6d7e-8f9a-0b1c-2d3e-4f5a6b7c8d9eMicrosoft.Network/virtualNetworks/subnetsGovernanceMediumSubnets without Connected Devices or DelegationLearn
3764bae5a28-5cf4-40d9-bcf1-623d28f6d917Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighDeploy VPN gateways with zone-redundant Public IPsLearn
3774d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9aMicrosoft.Sql/servers/elasticpoolsGovernanceMediumSQL elastic pool without databasesLearn
3784ea2878f-0d69-8d4a-b715-afc10d1e538eMicrosoft.Compute/virtualMachinesScalabilityLowHost database data on a data diskLearn
3794ee5d535-c47b-470a-9557-4a3dd297d62fMicrosoft.AVS/privateCloudsMonitoringAndAlertingHighMonitor CPU Utilization to ensure sufficient resources for workloadsLearn
3804f63619f-5001-439c-bacb-8de891287727Microsoft.ContainerService/managedClustersHighAvailabilityHighDeploy AKS cluster across availability zonesLearn
38152ab9e5c-eec0-3148-8bd7-b6dd9e1be870Microsoft.Compute/virtualMachinesHighAvailabilityMediumUse maintenance configurations for the Dedicated and/or Isolated VM SKUsLearn
3825a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8Microsoft.Cache/RedisHighAvailabilityHighEnable zone redundancy for Azure Cache for RedisLearn
3835b1933a6-90e4-f642-a01f-e58594e5aab2Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighChoose a Zone-redundant VPN gatewayLearn
3845b422a7f-8caa-3d48-becb-511599e5bba9Microsoft.Network/trafficManagerProfilesHighAvailabilityMediumTraffic manager profiles should have more than one endpointLearn
3855c6d7e8f-9a0b-1c2d-3e4f-5a6b7c8d9e0fMicrosoft.Network/natGatewaysGovernanceMediumNAT Gateways not attached to any subnetLearn
3865c96afc3-7d2e-46ff-a4c7-9c32850c441bMicrosoft.DBforMySQL/flexibleServersDisasterRecoveryHighConfigure geo redundant backup storageLearn
3875cea1501-6fe4-4ec4-ac8f-f72320eb18d3Microsoft.Network/publicIPAddressesHighAvailabilityMediumUpgrade Basic SKU public IP addresses to Standard SKULearn
3885e6f7a8b-9c0d-1e2f-3a4b-5c6d7e8f9a0bMicrosoft.Network/publicIPAddressesGovernanceMediumPublic IPs not attached to any resourceLearn
3895ee083cd-6ac3-4a83-8913-9549dd36cf56Microsoft.ContainerService/managedClustersHighAvailabilityHighIsolate system and application podsLearn
3905f3cbd68-692a-4121-988c-9770914859a9Microsoft.ContainerService/managedClustersOtherBestPracticesLowEnable GitOps when using DevOps frameworksLearn
39160077378-7cb1-4b35-89bb-393884d9921dMicrosoft.Network/ExpressRoutePortsHighAvailabilityHighThe Admin State of both Links of an ExpressRoute Direct should be in Enabled stateLearn
392621dbc78-3745-4d32-8eac-9e65b27b7512Microsoft.Network/loadBalancersHighAvailabilityHighEnsure Standard Load Balancer is zone-redundantLearn
3936293a3cc-6b4a-4c0f-9ea7-b8ae8d7dd3d5Microsoft.DBforPostgreSQL/flexibleServersScalabilityHighConfigure storage auto-growLearn
39463491f70-22e4-3b4a-8b0c-845450e46facMicrosoft.ContainerRegistry/registriesHighAvailabilityMediumEnable zone redundancyLearn
395675d249a-9486-45e3-8e89-863f5802782dMicrosoft.MachineLearningServices/workspacesDisasterRecoveryHighDeploy Azure Machine learning workspace in secondary regionLearn
39669ea1185-19b7-de40-9da1-9e8493547a5cMicrosoft.Network/virtualNetworksSecurityHighShield public endpoints in Azure VNets with Azure DDoS Standard Protection PlansLearn
3976a8b3db9-5773-413a-a127-4f7032f34bbdMicrosoft.SignalRService/SignalRHighAvailabilityHighEnable zone redundancy for SignalRLearn
3986cd57b65-ef84-4088-9ada-c0d8de74c2f7Microsoft.Dashboard/grafanaHighAvailabilityMediumEnable zone redundancy in Managed GrafanaLearn
3996d7e8f9a-0b1c-2d3e-4f5a-6b7c8d9e0f1aMicrosoft.Network/ipGroupsGovernanceMediumIP Groups not attached to any Azure FirewallLearn
4006d82d042-6d61-ad49-86f0-6a5455398081Microsoft.Network/loadBalancersHighAvailabilityHighEnsure the Backend Pool contains at least two instancesLearn
4016e2af91f-477d-46a5-b8ce-6cd1b8176550Microsoft.MachineLearningServices/workspacesServiceUpgradeAndRetirementMediumChoose SKUs with longer terms and avoid those nearing retirementLearn
4026e4f0fd1-1853-4b94-9736-6d6d239d2694Microsoft.MachineLearningServices/workspacesDisasterRecoveryHighSelecting regions for BCDR, ensure that both regions offer adequate compute quotasLearn
4036f7a8b9c-0d1e-2f3a-4b5c-6d7e8f9a0b1cMicrosoft.Network/networkInterfacesGovernanceMediumNetwork Interfaces not attached to any resourceLearn
40470b1d2be-e6c4-b54e-9959-b1b690f9e485Microsoft.Compute/virtualMachinesSecurityLowNetwork access to the VM disk should be set to Disable public access and enable private accessLearn
40570fcfe6d-00e9-5544-a63a-fff42b9f2edbMicrosoft.KeyVault/vaultsDisasterRecoveryMediumKey vaults should have purge protection enabledLearn
40673d1bb04-7d3e-0d47-bc0d-63afe773b5feMicrosoft.Compute/virtualMachinesOtherBestPracticesLowWhen AccelNet is enabled, you must manually update the GuestOS NIC driverLearn
407740f2c1c-8857-4648-80eb-47d2c56d5a50Microsoft.ApiManagement/serviceHighAvailabilityHighEnable Availability Zones on Premium API Management instancesLearn
40874c2491d-048b-0041-a140-935960220e20Microsoft.Sql/serversDisasterRecoveryHighUse Active Geo Replication to Create a Readable Secondary in Another RegionLearn
40974fcb9f2-9a25-49a6-8c42-d32851c4afb7Microsoft.AVS/privateCloudsMonitoringAndAlertingHighConfigure Azure Service Health notifications and alerts for Azure VMware SolutionLearn
4107893f0b3-8622-1d47-beed-4b50a19f7895Microsoft.Network/applicationGatewaysScalabilityHighMigrate to Application Gateway v2Learn
4117a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2dMicrosoft.Network/networkSecurityGroupsGovernanceMediumNetwork Security Groups not attached to any network interface or subnetLearn
4127e7daec9-6a81-3546-a4cc-9aef72fec1f7Microsoft.Sql/servers/databasesMonitoringAndAlertingHighMonitor your Azure SQL Database in Near Real-Time to Detect Reliability IncidentsLearn
4137e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2bMicrosoft.Network/privateDnsZonesGovernanceMediumPrivate DNS zones without Virtual Network LinksLearn
4147f7ae535-a5ba-4665-b7e0-c451dbdda01fMicrosoft.ContainerService/managedClustersHighAvailabilityHighConfigure system nodepool countLearn
4158176a79d-8645-4e52-96be-a10fc0204fe5Microsoft.DBforMySQL/flexibleServersScalabilityHighConfigure storage auto-growLearn
416820f4743-1f94-e946-ae0b-45efafd87962Microsoft.Compute/virtualMachineScaleSetsHighAvailabilityHighEnable Automatic Repair Policy on Azure Virtual Machine Scale SetsLearn
417823b0cff-05c0-2e4e-a1e7-9965e1cfa16fMicrosoft.Network/applicationGatewaysScalabilityMediumEnsure Autoscale feature has been enabledLearn
4188291c1fa-650c-b44b-b008-4deb7465919dMicrosoft.Network/networkSecurityGroupsSecurityMediumThe NSG only has Default Security Rules, make sure to configure the necessary rulesLearn
41982a9a0f2-24ee-496f-9ad2-25f81710942dMicrosoft.DBforMySQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
4208364fd0a-7c0e-e240-9d95-4bf965aec243Microsoft.Network/applicationGatewaysOtherBestPracticesHighEnsure Application Gateway Subnet is using a /24 subnet maskLearn
42184636c6c-b317-4722-b603-7b1ffc16384bMicrosoft.EventHub/namespacesHighAvailabilityHighEnsure zone redundancy is enabled in supported regionsLearn
422847a8d88-21c4-bc48-a94e-562206edd767Microsoft.Network/applicationGatewaysMonitoringAndAlertingHighUse Health Probes to detect backend availabilityLearn
423855ca19a-6518-4f2e-9e5a-01796fbca9f8Microsoft.Web/serverFarmsScalabilityHighSet minimum instance count to 2 for app serviceLearn
42488856605-53d8-4bbd-a75b-4a7b14939d32Microsoft.DBforMySQL/flexibleServersHighAvailabilityHighEnable HA with zone redundancyLearn
42588cb90c2-3b99-814b-9820-821a63f600ddMicrosoft.Web/serverFarmsHighAvailabilityHighMigrate App Service to availability Zone SupportLearn
4268b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3eMicrosoft.Network/routeTablesGovernanceMediumRoute Tables not attached to any subnetLearn
4278bb4a57b-55e4-d24e-9c19-2679d8bc779fMicrosoft.Network/networkSecurityGroupsMonitoringAndAlertingLowMonitor changes in Network Security Groups with Azure MonitorLearn
4288d319a05-677b-944f-b9b4-ca0fb42e883cMicrosoft.Network/loadBalancersHighAvailabilityMediumUse NAT Gateway instead of Outbound Rules for Production WorkloadsLearn
4298d9223c4-730d-ca47-af88-a9a024c37270Microsoft.Network/applicationGatewaysSecurityLowEnable Web Application Firewall policiesLearn
4308e389532-5db5-7e4c-9d4d-443b3e55ae82Microsoft.ContainerRegistry/registriesGovernanceLowMove Container Registry to a dedicated resource groupLearn
4318f9a0b1c-2d3e-4f5a-6b7c-8d9e0f1a2b3cMicrosoft.Network/privateEndpointsGovernanceMediumPrivate Endpoints not connected to any resourceLearn
432902c82ff-4910-4b61-942d-0d6ef7f39b67Microsoft.ContainerService/managedClustersScalabilityHighEnable the cluster auto-scaler on an existing clusterLearn
433921631f6-ed59-49a5-94c1-f0f3ececa580Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighEnable availability zonesLearn
4349437634c-d69e-2747-b13e-631c13182150Microsoft.Network/trafficManagerProfilesBusinessContinuityHighAvoid combining Traffic Manager and Front DoorLearn
435943c168a-2ec2-a94c-8015-85732a1b4859Microsoft.Sql/serversDisasterRecoveryHighAuto Failover Groups can encompass one or multiple databases, usually used by the same app.Learn
43694794d2a-eff0-2345-9b67-6f9349d0a627Microsoft.Compute/virtualMachineScaleSetsMonitoringAndAlertingMediumEnable Azure Virtual Machine Scale Set Application Health MonitoringLearn
437979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7Microsoft.DesktopVirtualization/hostPoolsOtherBestPracticesMediumConfigure host pool scheduled agent updatesLearn
43898f15850-f31e-4fb2-8874-74f5aabbcf91Microsoft.MachineLearningServices/workspacesDisasterRecoveryHighEnsure checkpoints are used for AI training modelsLearn
4399a0b1c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4dMicrosoft.Network/virtualNetworkGatewaysGovernanceMediumVirtual Network Gateways without Point-to-site configuration or ConnectionsLearn
4409c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4fMicrosoft.Network/loadBalancersGovernanceMediumLoad Balancers with empty backend address poolsLearn
4419cabded7-a1fc-6e4a-944b-d7dd98ea31a2Microsoft.DocumentDB/databaseAccountsDisasterRecoveryHighEnable service-managed failover for multi-region accounts with single write regionLearn
4429ce78192-74a0-104c-b5bb-9a443f941649Microsoft.DocumentDB/databaseAccountsHighAvailabilityHighEvaluate multi-region write capabilityLearn
4439e39919b-78af-4a0b-b70f-c548dae97c25Microsoft.RecoveryServices/vaultsDisasterRecoveryMediumEnable Soft Delete for Recovery Services Vaults in Azure BackupLearn
4449ec5b4c8-3dd8-473a-86ee-3273290331b9Microsoft.AVS/privateCloudsHighAvailabilityLowEnable Stretched Clusters for Multi-AZ Availability of the vSAN DatastoreLearn
445a1d91661-32d4-430b-b3b6-5adeb0975df7Microsoft.Web/sitesOtherBestPracticesLowDeploy to a staging slotLearn
446a7bfcc18-b0d8-4d37-81f3-8131ed8bead5Microsoft.Compute/virtualMachineScaleSetsScalabilityMediumUse Ephemeral OS Disks for AKS VMSS Node PoolsLearn
447a86ed26a-59d9-47bd-b440-6bc71b843978Microsoft.MachineLearningServices/workspacesDisasterRecoveryHighPlan for a multi-regional deployment of Azure Machine Learning and associated resourcesLearn
448a8d25876-7951-b646-b4e8-880c9031596bMicrosoft.Compute/virtualMachinesHighAvailabilityHighMigrate VMs using availability sets to VMSS FlexLearn
449aab6b4a4-9981-43a4-8728-35c7ecbb746dMicrosoft.Web/sitesGovernanceMediumConfigure network access restrictionsLearn
450b1e1378d-4572-4414-bebd-b8872a6d4d1cMicrosoft.Devices/IotHubsScalabilityHighUse Device Provisioning ServiceLearn
451b2113023-a553-2e41-9789-597e2fb54c31Microsoft.Web/serverFarmsHighAvailabilityHighUse Standard or Premium tierLearn
452b2bad57d-7e03-4c0f-9024-597c9eb295bbMicrosoft.DBforPostgreSQL/flexibleServersScalabilityHighEnable custom maintenance scheduleLearn
453b376281d-bfec-4695-8f90-9a44544fdfa4Microsoft.Search/searchServicesHighAvailabilityHighEnable AZ support in AI Search by configuring multiple replicas to your search serviceLearn
454b49a8653-cc43-48c9-8513-a2d2e3f14dd1Microsoft.DBforMySQL/flexibleServersDisasterRecoveryHighConfigure one or more read replicasLearn
455b5a63aa0-c58e-244f-b8a6-cbba0560a6dbMicrosoft.Compute/virtualMachineScaleSetsHighAvailabilityHighDisable Force strictly even balance across zones to avoid scale in and out fail attemptsLearn
456b72214bb-e879-5f4b-b9cd-642db84f36f4Microsoft.Compute/virtualMachinesMonitoringAndAlertingLowEnable VM InsightsLearn
457b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7Microsoft.Network/privateEndpointsHighAvailabilityMediumResolve issues with Private Endpoints in non Succeeded connection stateLearn
458baf3bfc0-32a2-4c0c-926d-c9bf0b49808eMicrosoft.ApiManagement/serviceHighAvailabilityHighMigrate API Management services to Premium SKU to support Availability ZonesLearn
459bb4c8db4-f821-475b-b1ea-16e95358665eMicrosoft.AppConfiguration/configurationStoresOtherBestPracticesLowEnable Purge protection for Azure App ConfigurationLearn
460bbe668b7-eb5c-c746-8b82-70afdedf0caeMicrosoft.Network/virtualNetworkGatewaysHighAvailabilityHighUse Zone-redundant ExpressRoute gateway SKUsLearn
461c0085c32-84c0-c247-bfa9-e70977cbf108Microsoft.Sql/servers/databasesHighAvailabilityHighEnable zone redundancy for Azure SQL Database to achieve high availability and resiliencyLearn
462c22db132-399b-4e7c-995d-577a60881be8Microsoft.ContainerService/managedClustersScalabilityMediumConfigure Azure CNI networking for dynamic allocation of IPs or use CNI overlayLearn
463c31f76a0-48cd-9f44-aa43-99ee904db9bcMicrosoft.Network/trafficManagerProfilesDisasterRecoveryHighEnsure endpoint configured to (All World) for geographic profilesLearn
464c474fc96-4e6a-4fb0-95d0-a26b3f35933cMicrosoft.Cache/redisSecurityMediumConfigure Private EndpointsLearn
465c63b81fb-7afc-894c-a840-91bb8a8dcfafMicrosoft.Network/publicIPAddressesHighAvailabilityHighUse Standard SKU and Zone-Redundant IPs when applicableLearn
466c6c4b962-5af4-447a-9d74-7b9c53a5dff5Microsoft.Web/sitesHighAvailabilityLowEnable auto heal for Functions AppLearn
467c72b7fee-1fa0-5b4b-98e5-54bcae95bb74Microsoft.Network/azureFirewallsHighAvailabilityHighDeploy Azure Firewall across multiple availability zonesLearn
468c9c00f2a-3888-714b-a72b-b4c9e8fcffb2Microsoft.Network/applicationGatewaysHighAvailabilityHighDeploy Application Gateway in a zone-redundant configurationLearn
469ca324d71-54b0-4a3e-b9e4-10e767daa9fcMicrosoft.ContainerService/managedClustersOtherBestPracticesHighDisable local accountsLearn
470ca87914f-aac4-4783-ab67-82a6f936f194Microsoft.DBforPostgreSQL/flexibleServersHighAvailabilityHighEnable HA with zone redundancyLearn
471cf2569bb-1cf2-46ce-8885-d742dc6f4a4cMicrosoft.MachineLearningServices/workspacesServiceUpgradeAndRetirementHighAvoid NC and NC_Promo series Azure VMs for machine learning quotas; migrate to newer versionsLearn
472cfe22a65-b1db-fd41-9e8e-d573922709aeMicrosoft.Compute/virtualMachinesDisasterRecoveryMediumReplicate VMs using Azure Site RecoveryLearn
473d37db635-157f-584d-9bce-4f6fc8c65ce5Microsoft.Network/virtualNetworkGatewaysHighAvailabilityHighConnect ExpressRoute gateway with circuits from diverse peering locationsLearn
474d40c769d-2f08-4980-8d8f-a386946276e6Microsoft.Network/expressRouteCircuitsScalabilityMediumImplement rate-limiting across ExpressRoute Direct Circuits to optimize network flowLearn
475d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1Microsoft.Cdn/profilesSecurityHighUse end-to-end TLSLearn
476dac421ec-2832-4c37-839e-b6dc5a38f2faMicrosoft.Insights/componentsServiceUpgradeAndRetirementMediumConvert Classic DeploymentsLearn
477dc55be60-6f8c-461e-a9d5-a3c7686ed94eMicrosoft.Storage/storageAccountsSecurityMediumEnable Azure Private Link service for storage accountsLearn
478dcaf8128-94bd-4d53-9235-3a0371df6b74Microsoft.ContainerService/managedClustersMonitoringAndAlertingHighEnable AKS MonitoringLearn
479df0ff862-814d-45a3-95e4-4fad5a244ba6Microsoft.Compute/virtualMachinesScalabilityHighMission Critical Workloads should consider using Premium or Ultra DisksLearn
480dfedbeb1-1519-fc47-86a5-52f96cf07105Microsoft.Compute/virtualMachinesScalabilityMediumEnable Accelerated Networking (AccelNet)Learn
481e35cf148-8eee-49d1-a1c9-956160f99e0bMicrosoft.ApiManagement/serviceHighAvailabilityHighAzure API Management platform version should be stv2Learn
482e4ffd7b0-ba24-c84e-9352-ba4819f908c0Microsoft.Compute/virtualMachineScaleSetsOtherBestPracticesLowSet Patch orchestration options to Azure-orchestratedLearn
483e544520b-8505-7841-9e77-1f1974ee86ecMicrosoft.DocumentDB/databaseAccountsDisasterRecoveryHighConfigure continuous backup modeLearn
484e620fa98-7a40-41a0-bfc9-b4407297fb58Microsoft.ContainerService/managedClustersHighAvailabilityHighNodepool subnet size needs to accommodate maximum auto-scale settingsLearn
485e6c7e1cc-2f47-264d-aa50-1da421314472Microsoft.Storage/storageAccountsHighAvailabilityHighEnsure that storage accounts are zone or region redundantLearn
486e7495e1c-0c75-0946-b266-b429b5c7f3bfMicrosoft.Compute/virtualMachineScaleSetsScalabilityMediumDeploy VMSS with Flex orchestration mode instead of UniformLearn
487e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1eMicrosoft.Devices/IotHubsMonitoringAndAlertingLowDisabled Fallback RouteLearn
488e7f0fd54-fba0-054e-9ab8-e676f2851f88Microsoft.ContainerRegistry/registriesDisasterRecoveryLowEnable soft delete policyLearn
489eb005943-40a8-194b-9db2-474d430046b7Microsoft.ContainerRegistry/registriesHighAvailabilityHighUse Premium tier for critical production workloadsLearn
490ee66ff65-9aa3-2345-93c1-25827cf79f44Microsoft.Compute/virtualMachineScaleSetsScalabilityHighConfigure VMSS Autoscale to custom and configure the scaling metricsLearn
491eeba3a49-fef0-481f-a471-7ff01139b474Microsoft.Devices/IotHubsHighAvailabilityHighDo not use free tierLearn
492f05a3e6d-49db-2740-88e2-2b13706c1f67Microsoft.Network/trafficManagerProfilesHighAvailabilityHighTraffic Manager Monitor Status Should be OnlineLearn
493f075a1bd-de9e-4819-9a1d-1ac41037a74fMicrosoft.ServiceBus/namespacesServiceUpgradeAndRetirementHighConfigure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higherLearn
494f0bf9ae6-25a5-974d-87d5-025abec73539Microsoft.Network/virtualNetworksSecurityLowAll Subnets should have a Network Security Group associatedLearn
495f4201965-a88d-449d-b3b4-021394719eb2Microsoft.App/managedenvironmentsHighAvailabilityHighDeploy zone redundant Container app environmentsLearn
496f46b0d1d-56ef-4795-b98a-f6ee00cb341aMicrosoft.ContainerService/managedClustersHighAvailabilityHighUse Azure Linux for Linux nodepoolsLearn
497f6a14b32-a727-4ace-b5fa-7b1c6bdff402Microsoft.Network/connectionsScalabilityMediumFor better data path performance enable FastPath on ExpressRoute ConnectionsLearn
498f8c2e6d9-4b3a-45d6-b9e2-8e7f3a1c2d04Microsoft.Network/virtualNetworkGatewaysHighAvailabilityMediumConfigure customer-controlled VPN gateway maintenanceLearn
499fa0cf4f5-0b21-47b7-89a9-ee936f193ce1Microsoft.Compute/disksHighAvailabilityMediumUse Azure Disks with Zone Redundant Storage for higher resiliency and availabilityLearn
500fbfef3df-04a5-41b2-a8fd-b8541eb04956Microsoft.EventHub/namespacesScalabilityHighEnable auto-inflate on Event Hub Standard tierLearn
501fd049c28-ae6d-48f0-a641-cc3ba1a3fe1dMicrosoft.Web/sitesOtherBestPracticesHighEnable Health check for App ServicesLearn

5 - Troubleshooting & Support

Troubleshooting & Support

If you encounter any issue while using Azure Quick Review (azqr), please set the AZURE_SDK_GO_LOGGING environment variable to all, run the tool with the --debug flag and then share the console output with us by filing a new issue.

Support

This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please check our troubleshooting guide.

Please search the existing issues before filing new issues to avoid duplicates.

  • For new issues, file your bug or feature request as a new issue.
  • For help, discussion, and support questions about using this project, join or start a discussion.

Support for this project / product is limited to the resources listed above.

6 - Contribution Guidelines

How to contribute to the project

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Contributing to Documentation

Below are the steps and required packages to get the Azure Quick Review Hugo site to build and run locally.

  • Ensure that you have the following packages installed locally.

    • git
    • hugo extended
    • nodejs
  • Fork the azqr repository, clone locally and then head to the docs folder

    cd .\azqr\docs
    
  • Execute the Node Module installer

    npm install
    
  • Once this has finish you can execute the Hugo Server

    hugo server
    

8 - Related Projects

Azure Quick Review compared to APRL, Azure Review Checklists and PSRule.Rules.Azure

AZQR and APRL

As of version 2.0.0-preview, Azure Quick Review (azqr) includes all Azure Resource Graph queries provided by the the Azure Proactive Resiliency Library (APRL), which are used to identify non-compliant resources.

Azure Quick Review (azqr) extends APRL by providing per service instance SLAs, Diagnostic Settings detection and more. Therefore, scan results display AZQR or APRL, to indicate the source of the recommendation.

APRL provides a curated catalog of resiliency recommendations for workloads running in Azure. Many of the recommendations contain supporting Azure Resource Graph (ARG) queries

AZQR and Azure Orphan Resources

As of version 2.4.0 Azure Quick Review (azqr) includes all Azure Resource Graph queries provided by the the Azure Orphan Resources project

AZQR compared to Azure Review Checklists and PSRule.Rules.Azure

Azure Quick Review (azqr) was created to address a very specific need we had back in 2022. Initially, we had to run three assessments to get a clear picture of various solutions in terms of SLAs, use of Availability Zones, and Diagnostic Settings. At the time, we were not aware of the existence of the review-checklist or PSRule.Rules.Azure.

When some of our peers saw the assessments we were able to deliver with the early bits of Azure Quick Review (azqr), they asked us to add more checks (recommendations) and change the output format from markdown to Excel.

As many of our customers work in restrictive environments, the ability to run a self-contained, cross-platform binary while using read-only permissions became a key feature.

Moving forward to 2023, based on great feedback from both peers and customers, we moved the original repo to the Azure organization, added support for more services, fixed some issues and even added a Power BI template.

In August 2024, we added all APRL recommendations to Azure Quick Review (azqr) and removed duplicates in favor of the ones already available as Azure Resource Graph queries.

When compared with PSRule.Rules.Azure, Azure Quick Review (azqr) only scans deployed Azure resources and provides recommendations based on the current state. Azure Quick Review (azqr) does not scan ARM templates or Bicep files.

When compared to the review-checklist, Azure Quick Review (azqr) also provides an actionable list of more than 400 recommendations (70+ Azure resource types), that can be used to improve the resiliency of your Azure solutions.