Recommendations
Recommendations
Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category:
| # | Id | Resource Type | Category | Impact | Recommendation | Learn |
|---|---|---|---|---|---|---|
| 1 | adf-001 | Microsoft.DataFactory/factories | Monitoring and Alerting | Low | Azure Data Factory should have diagnostic settings enabled | Learn |
| 2 | adf-002 | Microsoft.DataFactory/factories | Security | High | Azure Data Factory should have private endpoints enabled | Learn |
| 3 | adf-003 | Microsoft.DataFactory/factories | High Availability | High | Azure Data Factory SLA | Learn |
| 4 | adf-004 | Microsoft.DataFactory/factories | Governance | Low | Azure Data Factory Name should comply with naming conventions | Learn |
| 5 | adf-005 | Microsoft.DataFactory/factories | Governance | Low | Azure Data Factory should have tags | Learn |
| 6 | afd-001 | Microsoft.Cdn/profiles | Monitoring and Alerting | Low | Azure FrontDoor should have diagnostic settings enabled | Learn |
| 7 | afd-003 | Microsoft.Cdn/profiles | High Availability | High | Azure FrontDoor SLA | Learn |
| 8 | afd-006 | Microsoft.Cdn/profiles | Governance | Low | Azure FrontDoor Name should comply with naming conventions | Learn |
| 9 | afd-007 | Microsoft.Cdn/profiles | Governance | Low | Azure FrontDoor should have tags | Learn |
| 10 | 1bd2b7e8-400f-e64a-99a2-c572f7b08a62 | Microsoft.Cdn/profiles | Security | Medium | Enable the WAF | Learn |
| 11 | 38f3d542-6de6-a44b-86c6-97e3be690281 | Microsoft.Cdn/profiles | HighAvailability | Low | Disable health probes when there is only one origin in an origin group | Learn |
| 12 | 24ab9f11-a3e4-3043-a985-22cf94c4933a | Microsoft.Cdn/profiles | Security | High | Use HTTP to HTTPS redirection | Learn |
| 13 | d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1 | Microsoft.Cdn/profiles | Security | High | Use end-to-end TLS | Learn |
| 14 | afw-001 | Microsoft.Network/azureFirewalls | Monitoring and Alerting | Low | Azure Firewall should have diagnostic settings enabled | Learn |
| 15 | afw-003 | Microsoft.Network/azureFirewalls | High Availability | High | Azure Firewall SLA | Learn |
| 16 | afw-006 | Microsoft.Network/azureFirewalls | Governance | Low | Azure Firewall Name should comply with naming conventions | Learn |
| 17 | afw-007 | Microsoft.Network/azureFirewalls | Governance | Low | Azure Firewall should have tags | Learn |
| 18 | 1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d | Microsoft.Network/azureFirewalls | Security | High | Configure DDoS Protection on the Azure Firewall VNet | Learn |
| 19 | c72b7fee-1fa0-5b4b-98e5-54bcae95bb74 | Microsoft.Network/azureFirewalls | HighAvailability | High | Deploy Azure Firewall across multiple availability zones | Learn |
| 20 | 3c8fa7c6-6b78-a24a-a63f-348a7c71acb9 | Microsoft.Network/azureFirewalls | MonitoringAndAlerting | High | Monitor Azure Firewall metrics | Learn |
| 21 | agw-005 | Microsoft.Network/applicationGateways | Monitoring and Alerting | Low | Application Gateway: Monitor and Log the configurations and traffic | Learn |
| 22 | agw-103 | Microsoft.Network/applicationGateways | High Availability | High | Application Gateway SLA | Learn |
| 23 | agw-105 | Microsoft.Network/applicationGateways | Governance | Low | Application Gateway Name should comply with naming conventions | Learn |
| 24 | agw-106 | Microsoft.Network/applicationGateways | Governance | Low | Application Gateway should have tags | Learn |
| 25 | 8364fd0a-7c0e-e240-9d95-4bf965aec243 | Microsoft.Network/applicationGateways | OtherBestPractices | High | Ensure Application Gateway Subnet is using a /24 subnet mask | Learn |
| 26 | 7893f0b3-8622-1d47-beed-4b50a19f7895 | Microsoft.Network/applicationGateways | Scalability | High | Migrate to Application Gateway v2 | Learn |
| 27 | 847a8d88-21c4-bc48-a94e-562206edd767 | Microsoft.Network/applicationGateways | MonitoringAndAlerting | High | Use Health Probes to detect backend availability | Learn |
| 28 | c9c00f2a-3888-714b-a72b-b4c9e8fcffb2 | Microsoft.Network/applicationGateways | HighAvailability | High | Deploy Application Gateway in a zone-redundant configuration | Learn |
| 29 | 10f02bc6-e2e7-004d-a2c2-f9bf9f16b915 | Microsoft.Network/applicationGateways | HighAvailability | Medium | Plan for backend maintenance by using connection draining | Learn |
| 30 | 823b0cff-05c0-2e4e-a1e7-9965e1cfa16f | Microsoft.Network/applicationGateways | Scalability | Medium | Ensure Autoscale feature has been enabled | Learn |
| 31 | 233a7008-71e9-e745-923e-1a1c7a0b92f3 | Microsoft.Network/applicationGateways | Security | High | Secure all incoming connections with SSL | Learn |
| 32 | 8d9223c4-730d-ca47-af88-a9a024c37270 | Microsoft.Network/applicationGateways | Security | Low | Enable Web Application Firewall policies | Learn |
| 33 | aks-001 | Microsoft.ContainerService/managedClusters | Monitoring and Alerting | Low | AKS Cluster should have diagnostic settings enabled | Learn |
| 34 | aks-003 | Microsoft.ContainerService/managedClusters | High Availability | High | AKS Cluster should have an SLA | Learn |
| 35 | aks-004 | Microsoft.ContainerService/managedClusters | Security | High | AKS Cluster should be private | Learn |
| 36 | aks-006 | Microsoft.ContainerService/managedClusters | Governance | Low | AKS Name should comply with naming conventions | Learn |
| 37 | aks-007 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should integrate authentication with AAD (Managed) | Learn |
| 38 | aks-008 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should be RBAC enabled. | Learn |
| 39 | aks-010 | Microsoft.ContainerService/managedClusters | Security | Medium | AKS should have httpApplicationRouting disabled | Learn |
| 40 | aks-012 | Microsoft.ContainerService/managedClusters | Security | High | AKS should have outbound type set to user defined routing | Learn |
| 41 | aks-015 | Microsoft.ContainerService/managedClusters | Governance | Low | AKS should have tags | Learn |
| 42 | aks-016 | Microsoft.ContainerService/managedClusters | Scalability | Low | AKS Node Pools should have MaxSurge set | Learn |
| 43 | 0611251f-e70f-4243-8ddd-cfe894bec2e7 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Update AKS tier to Standard or Premium | Learn |
| 44 | dcaf8128-94bd-4d53-9235-3a0371df6b74 | Microsoft.ContainerService/managedClusters | MonitoringAndAlerting | High | Enable AKS Monitoring | Learn |
| 45 | a7bfcc18-b0d8-4d37-81f3-8131ed8bead5 | Microsoft.ContainerService/managedClusters | Scalability | Medium | Use Ephemeral OS disks on AKS clusters | Learn |
| 46 | 7f7ae535-a5ba-4665-b7e0-c451dbdda01f | Microsoft.ContainerService/managedClusters | HighAvailability | High | Configure system nodepool count | Learn |
| 47 | 26ebaf1f-c70d-4ebd-8641-4b60a0ce0094 | Microsoft.ContainerService/managedClusters | Governance | Low | Enable and remediate Azure Policies configured for AKS | Learn |
| 48 | 5f3cbd68-692a-4121-988c-9770914859a9 | Microsoft.ContainerService/managedClusters | OtherBestPractices | Low | Enable GitOps when using DevOps frameworks | Learn |
| 49 | 005ccbbd-aeab-46ef-80bd-9bd4479412ec | Microsoft.ContainerService/managedClusters | HighAvailability | High | Configure user nodepool count | Learn |
| 50 | f46b0d1d-56ef-4795-b98a-f6ee00cb341a | Microsoft.ContainerService/managedClusters | HighAvailability | High | Use Azure Linux for Linux nodepools | Learn |
| 51 | 5ee083cd-6ac3-4a83-8913-9549dd36cf56 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Isolate system and application pods | Learn |
| 52 | ca324d71-54b0-4a3e-b9e4-10e767daa9fc | Microsoft.ContainerService/managedClusters | Security | High | Disable local accounts | Learn |
| 53 | c22db132-399b-4e7c-995d-577a60881be8 | Microsoft.ContainerService/managedClusters | Scalability | Medium | Configure Azure CNI networking for dynamic allocation of IPs or use CNI overlay | Learn |
| 54 | 902c82ff-4910-4b61-942d-0d6ef7f39b67 | Microsoft.ContainerService/managedClusters | Scalability | High | Enable the cluster auto-scaler on an existing cluster | Learn |
| 55 | 269a9f1a-6675-460a-831e-b05a887a8c4b | Microsoft.ContainerService/managedClusters | DisasterRecovery | Low | Back up Azure Kubernetes Service | Learn |
| 56 | e620fa98-7a40-41a0-bfc9-b4407297fb58 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Nodepool subnet size needs to accommodate maximum auto-scale settings | Learn |
| 57 | 4f63619f-5001-439c-bacb-8de891287727 | Microsoft.ContainerService/managedClusters | HighAvailability | High | Deploy AKS cluster across availability zones | Learn |
| 58 | amg-001 | Microsoft.Dashboard/managedGrafana | Governance | Low | Azure Managed Grafana name should comply with naming conventions | Learn |
| 59 | amg-002 | Microsoft.Dashboard/managedGrafana | High Availability | High | Azure Managed Grafana SLA | Learn |
| 60 | amg-003 | Microsoft.Dashboard/managedGrafana | Governance | Low | Azure Managed Grafana should have tags | Learn |
| 61 | amg-004 | Microsoft.Dashboard/managedGrafana | Security | High | Azure Managed Grafana should disable public network access | Learn |
| 62 | amg-005 | Microsoft.Dashboard/managedGrafana | High Availability | High | Azure Managed Grafana should have availability zones enabled | Learn |
| 63 | 6cd57b65-ef84-4088-9ada-c0d8de74c2f7 | Microsoft.Dashboard/grafana | HighAvailability | Medium | Enable zone redundancy in Managed Grafana | Learn |
| 64 | apim-001 | Microsoft.ApiManagement/service | Monitoring and Alerting | Low | APIM should have diagnostic settings enabled | Learn |
| 65 | apim-003 | Microsoft.ApiManagement/service | High Availability | High | APIM should have a SLA | Learn |
| 66 | apim-004 | Microsoft.ApiManagement/service | Security | High | APIM should have private endpoints enabled | Learn |
| 67 | apim-006 | Microsoft.ApiManagement/service | Governance | Low | APIM should comply with naming conventions | Learn |
| 68 | apim-007 | Microsoft.ApiManagement/service | Governance | Low | APIM should have tags | Learn |
| 69 | apim-008 | Microsoft.ApiManagement/service | Security | Medium | APIM should use Managed Identities | Learn |
| 70 | apim-009 | Microsoft.ApiManagement/service | Security | High | APIM should only accept a minimum of TLS 1.2 | Learn |
| 71 | apim-010 | Microsoft.ApiManagement/service | Security | High | APIM should should not accept weak or deprecated ciphers. | Learn |
| 72 | apim-011 | Microsoft.ApiManagement/service | Security | High | APIM: Renew expiring certificates | Learn |
| 73 | e35cf148-8eee-49d1-a1c9-956160f99e0b | Microsoft.ApiManagement/service | HighAvailability | High | Azure API Management platform version should be stv2 | Learn |
| 74 | baf3bfc0-32a2-4c0c-926d-c9bf0b49808e | Microsoft.ApiManagement/service | HighAvailability | High | Migrate API Management services to Premium SKU to support Availability Zones | Learn |
| 75 | 740f2c1c-8857-4648-80eb-47d2c56d5a50 | Microsoft.ApiManagement/service | HighAvailability | High | Enable Availability Zones on Premium API Management instances | Learn |
| 76 | appcs-001 | Microsoft.AppConfiguration/configurationStores | Monitoring and Alerting | Low | AppConfiguration should have diagnostic settings enabled | Learn |
| 77 | appcs-003 | Microsoft.AppConfiguration/configurationStores | High Availability | High | AppConfiguration should have a SLA | Learn |
| 78 | appcs-004 | Microsoft.AppConfiguration/configurationStores | Security | High | AppConfiguration should have private endpoints enabled | Learn |
| 79 | appcs-006 | Microsoft.AppConfiguration/configurationStores | Governance | Low | AppConfiguration Name should comply with naming conventions | Learn |
| 80 | appcs-007 | Microsoft.AppConfiguration/configurationStores | Governance | Low | AppConfiguration should have tags | Learn |
| 81 | appcs-008 | Microsoft.AppConfiguration/configurationStores | Security | Medium | AppConfiguration should have local authentication disabled | Learn |
| 82 | bb4c8db4-f821-475b-b1ea-16e95358665e | Microsoft.AppConfiguration/configurationStores | Governance | Low | Enable Purge protection for Azure App Configuration | Learn |
| 83 | 2102a57a-a056-4d5e-afe5-9df9f92177ca | Microsoft.AppConfiguration/configurationStores | HighAvailability | High | Upgrade to App Configuration Standard tier | Learn |
| 84 | appi-001 | Microsoft.Insights/components | High Availability | High | Azure Application Insights SLA | Learn |
| 85 | appi-002 | Microsoft.Insights/components | Governance | Low | Azure Application Insights Name should comply with naming conventions | Learn |
| 86 | appi-003 | Microsoft.Insights/components | Governance | Low | Azure Application Insights should have tags | Learn |
| 87 | dac421ec-2832-4c37-839e-b6dc5a38f2fa | Microsoft.Insights/components | ServiceUpgradeAndRetirement | Medium | Convert Classic Deployments | Learn |
| 88 | as-001 | Microsoft.AnalysisServices/servers | Monitoring and Alerting | Low | Azure Analysis Service should have diagnostic settings enabled | Learn |
| 89 | as-002 | Microsoft.AnalysisServices/servers | High Availability | High | Azure Analysis Service should have a SLA | Learn |
| 90 | as-004 | Microsoft.AnalysisServices/servers | Governance | Low | Azure Analysis Service Name should comply with naming conventions | Learn |
| 91 | as-005 | Microsoft.AnalysisServices/servers | Governance | Low | Azure Analysis Service should have tags | Learn |
| 92 | app-001 | Microsoft.Web/sites | Monitoring and Alerting | Low | App Service should have diagnostic settings enabled | Learn |
| 93 | app-004 | Microsoft.Web/sites | Security | High | App Service should have private endpoints enabled | Learn |
| 94 | app-006 | Microsoft.Web/sites | Governance | Low | App Service Name should comply with naming conventions | Learn |
| 95 | app-007 | Microsoft.Web/sites | Security | High | App Service should use HTTPS only | Learn |
| 96 | app-008 | Microsoft.Web/sites | Governance | Low | App Service should have tags | Learn |
| 97 | app-009 | Microsoft.Web/sites | Security | Medium | App Service should use VNET integration | Learn |
| 98 | app-010 | Microsoft.Web/sites | Security | Medium | App Service should have VNET Route all enabled for VNET integration | Learn |
| 99 | app-011 | Microsoft.Web/sites | Security | High | App Service should use TLS 1.2 | Learn |
| 100 | app-012 | Microsoft.Web/sites | Security | High | App Service remote debugging should be disabled | Learn |
| 101 | app-013 | Microsoft.Web/sites | Security | High | App Service should not allow insecure FTP | Learn |
| 102 | app-014 | Microsoft.Web/sites | Scalability | High | App Service should have Always On enabled | Learn |
| 103 | app-015 | Microsoft.Web/sites | High Availability | Medium | App Service should avoid using Client Affinity | Learn |
| 104 | app-016 | Microsoft.Web/sites | Security | Medium | App Service should use Managed Identities | Learn |
| 105 | asp-001 | Microsoft.Web/serverfarms | Monitoring and Alerting | Low | Plan should have diagnostic settings enabled | Learn |
| 106 | asp-003 | Microsoft.Web/serverfarms | High Availability | High | Plan should have a SLA | Learn |
| 107 | asp-006 | Microsoft.Web/serverfarms | Governance | Low | Plan Name should comply with naming conventions | Learn |
| 108 | asp-007 | Microsoft.Web/serverfarms | Governance | Low | Plan should have tags | Learn |
| 109 | func-001 | Microsoft.Web/sites | Monitoring and Alerting | Low | Function should have diagnostic settings enabled | Learn |
| 110 | func-004 | Microsoft.Web/sites | Security | High | Function should have private endpoints enabled | Learn |
| 111 | func-006 | Microsoft.Web/sites | Governance | Low | Function Name should comply with naming conventions | Learn |
| 112 | func-007 | Microsoft.Web/sites | Security | High | Function should use HTTPS only | Learn |
| 113 | func-008 | Microsoft.Web/sites | Governance | Low | Function should have tags | Learn |
| 114 | func-009 | Microsoft.Web/sites | Security | Medium | Function should use VNET integration | Learn |
| 115 | func-010 | Microsoft.Web/sites | Security | Medium | Function should have VNET Route all enabled for VNET integration | Learn |
| 116 | func-011 | Microsoft.Web/sites | Security | Medium | Function should use TLS 1.2 | Learn |
| 117 | func-012 | Microsoft.Web/sites | Security | Medium | Function remote debugging should be disabled | Learn |
| 118 | func-013 | Microsoft.Web/sites | High Availability | Medium | Function should avoid using Client Affinity | Learn |
| 119 | func-014 | Microsoft.Web/sites | Security | Medium | Function should use Managed Identities | Learn |
| 120 | logics-001 | Microsoft.Web/sites | Monitoring and Alerting | Low | Logic App should have diagnostic settings enabled | Learn |
| 121 | logics-004 | Microsoft.Web/sites | Security | High | Logic App should have private endpoints enabled | Learn |
| 122 | logics-006 | Microsoft.Web/sites | Governance | Low | Logic App Name should comply with naming conventions | Learn |
| 123 | logics-007 | Microsoft.Web/sites | Security | High | Logic App should use HTTPS only | Learn |
| 124 | logics-008 | Microsoft.Web/sites | Governance | Low | Logic App should have tags | Learn |
| 125 | logics-009 | Microsoft.Web/sites | Security | Medium | Logic App should use VNET integration | Learn |
| 126 | logics-010 | Microsoft.Web/sites | Security | Medium | Logic App should have VNET Route all enabled for VNET integration | Learn |
| 127 | logics-011 | Microsoft.Web/sites | Security | Medium | Logic App should use TLS 1.2 | Learn |
| 128 | logics-012 | Microsoft.Web/sites | Security | Medium | Logic App remote debugging should be disabled | Learn |
| 129 | logics-013 | Microsoft.Web/sites | High Availability | Medium | Logic App should avoid using Client Affinity | Learn |
| 130 | logics-014 | Microsoft.Web/sites | Security | Medium | Logic App should use Managed Identities | Learn |
| 131 | 855ca19a-6518-4f2e-9e5a-01796fbca9f8 | Microsoft.Web/serverFarms | Scalability | High | Set minimum instance count to 2 for app service | Learn |
| 132 | 88cb90c2-3b99-814b-9820-821a63f600dd | Microsoft.Web/serverFarms | HighAvailability | High | Migrate App Service to availability Zone Support | Learn |
| 133 | b2113023-a553-2e41-9789-597e2fb54c31 | Microsoft.Web/serverFarms | HighAvailability | High | Use Standard or Premium tier | Learn |
| 134 | 07243659-4643-d44c-a1c6-07ac21635072 | Microsoft.Web/serverFarms | Scalability | Medium | Avoid scaling up or down | Learn |
| 135 | fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d | Microsoft.Web/sites | OtherBestPractices | High | Enable Health check for App Services | Learn |
| 136 | aab6b4a4-9981-43a4-8728-35c7ecbb746d | Microsoft.Web/sites | Governance | Medium | Configure network access restrictions | Learn |
| 137 | c6c4b962-5af4-447a-9d74-7b9c53a5dff5 | Microsoft.Web/sites | HighAvailability | Low | Enable auto heal for Functions App | Learn |
| 138 | a1d91661-32d4-430b-b3b6-5adeb0975df7 | Microsoft.Web/sites | Governance | Low | Deploy to a staging slot | Learn |
| 139 | 0b80b67c-afbe-4988-ad58-a85a146b681e | Microsoft.Web/sites | OtherBestPractices | Medium | Store configuration as app settings | Learn |
| 140 | 4ee5d535-c47b-470a-9557-4a3dd297d62f | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Monitor CPU Utilization to ensure sufficient resources for workloads | Learn |
| 141 | 029208c8-5186-4a76-8ee8-6e3445fef4dd | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Monitor Memory Utilization to ensure sufficient resources for workloads | Learn |
| 142 | 4232eb32-3241-4049-9e14-9b8005817b56 | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization | Learn |
| 143 | 9ec5b4c8-3dd8-473a-86ee-3273290331b9 | Microsoft.AVS/privateClouds | HighAvailability | Low | Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore | Learn |
| 144 | 74fcb9f2-9a25-49a6-8c42-d32851c4afb7 | Microsoft.AVS/privateClouds | MonitoringAndAlerting | High | Configure Azure Service Health notifications and alerts for Azure VMware Solution | Learn |
| 145 | ca-003 | Microsoft.App/containerApps | High Availability | High | ContainerApp should have a SLA | Learn |
| 146 | ca-006 | Microsoft.App/containerApps | Governance | Low | ContainerApp Name should comply with naming conventions | Learn |
| 147 | ca-007 | Microsoft.App/containerApps | Governance | Low | ContainerApp should have tags | Learn |
| 148 | ca-008 | Microsoft.App/containerApps | Security | Low | ContainerApp should not allow insecure ingress traffic | Learn |
| 149 | ca-009 | Microsoft.App/containerApps | Security | Low | ContainerApp should use Managed Identities | Learn |
| 150 | ca-010 | Microsoft.App/containerApps | High Availability | Low | ContainerApp should use Azure Files to persist container data | Learn |
| 151 | ca-011 | Microsoft.App/containerApps | High Availability | Low | ContainerApp should avoid using session affinity | Learn |
| 152 | cae-001 | Microsoft.App/managedenvironments | Monitoring and Alerting | Low | Container Apps Environment should have diagnostic settings enabled | Learn |
| 153 | cae-003 | Microsoft.App/managedenvironments | High Availability | High | Container Apps Environment should have a SLA | Learn |
| 154 | cae-004 | Microsoft.App/managedenvironments | Security | High | Container Apps Environment should have private endpoints enabled | Learn |
| 155 | cae-006 | Microsoft.App/managedenvironments | Governance | Low | Container Apps Environment Name should comply with naming conventions | Learn |
| 156 | cae-007 | Microsoft.App/managedenvironments | Governance | Low | Container Apps Environment should have tags | Learn |
| 157 | f4201965-a88d-449d-b3b4-021394719eb2 | Microsoft.App/managedenvironments | HighAvailability | High | Deploy zone redundant Container app environments | Learn |
| 158 | ci-002 | Microsoft.ContainerInstance/containerGroups | High Availability | High | ContainerInstance should have availability zones enabled | Learn |
| 159 | ci-003 | Microsoft.ContainerInstance/containerGroups | High Availability | High | ContainerInstance should have a SLA | Learn |
| 160 | ci-004 | Microsoft.ContainerInstance/containerGroups | Security | High | ContainerInstance should use private IP addresses | Learn |
| 161 | ci-006 | Microsoft.ContainerInstance/containerGroups | Governance | Low | ContainerInstance Name should comply with naming conventions | Learn |
| 162 | ci-007 | Microsoft.ContainerInstance/containerGroups | Governance | Low | ContainerInstance should have tags | Learn |
| 163 | cog-001 | Microsoft.CognitiveServices/accounts | Monitoring and Alerting | Low | Cognitive Service Account should have diagnostic settings enabled | Learn |
| 164 | cog-003 | Microsoft.CognitiveServices/accounts | High Availability | High | Cognitive Service Account should have a SLA | Learn |
| 165 | cog-004 | Microsoft.CognitiveServices/accounts | Security | High | Cognitive Service Account should have private endpoints enabled | Learn |
| 166 | cog-006 | Microsoft.CognitiveServices/accounts | Governance | Low | Cognitive Service Account Name should comply with naming conventions | Learn |
| 167 | cog-007 | Microsoft.CognitiveServices/accounts | Governance | Low | Cognitive Service Account should have tags | Learn |
| 168 | cog-008 | Microsoft.CognitiveServices/accounts | Security | Medium | Cognitive Service Account should have local authentication disabled | Learn |
| 169 | f6a14b32-a727-4ace-b5fa-7b1c6bdff402 | Microsoft.Network/connections | Scalability | Medium | For better data path performance enable FastPath on ExpressRoute Connections | Learn |
| 170 | cosmos-001 | Microsoft.DocumentDB/databaseAccounts | Monitoring and Alerting | Low | CosmosDB should have diagnostic settings enabled | Learn |
| 171 | cosmos-002 | Microsoft.DocumentDB/databaseAccounts | High Availability | High | CosmosDB should have availability zones enabled | Learn |
| 172 | cosmos-003 | Microsoft.DocumentDB/databaseAccounts | High Availability | High | CosmosDB should have a SLA | Learn |
| 173 | cosmos-004 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB should have private endpoints enabled | Learn |
| 174 | cosmos-006 | Microsoft.DocumentDB/databaseAccounts | Governance | Low | CosmosDB Name should comply with naming conventions | Learn |
| 175 | cosmos-007 | Microsoft.DocumentDB/databaseAccounts | Governance | Low | CosmosDB should have tags | Learn |
| 176 | cosmos-008 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB should have local authentication disabled | Learn |
| 177 | cosmos-009 | Microsoft.DocumentDB/databaseAccounts | Security | High | CosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keys | Learn |
| 178 | 9ce78192-74a0-104c-b5bb-9a443f941649 | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Evaluate multi-region write capability | Learn |
| 179 | e544520b-8505-7841-9e77-1f1974ee86ec | Microsoft.DocumentDB/databaseAccounts | DisasterRecovery | High | Configure continuous backup mode | Learn |
| 180 | 43663217-a1d3-844b-80ea-571a2ce37c6c | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Configure at least two regions for high availability | Learn |
| 181 | 9cabded7-a1fc-6e4a-944b-d7dd98ea31a2 | Microsoft.DocumentDB/databaseAccounts | DisasterRecovery | High | Enable service-managed failover for multi-region accounts with single write region | Learn |
| 182 | 921631f6-ed59-49a5-94c1-f0f3ececa580 | Microsoft.DocumentDB/databaseAccounts | HighAvailability | High | Enable availability zones | Learn |
| 183 | cr-001 | Microsoft.ContainerRegistry/registries | Monitoring and Alerting | Low | ContainerRegistry should have diagnostic settings enabled | Learn |
| 184 | cr-003 | Microsoft.ContainerRegistry/registries | High Availability | High | ContainerRegistry should have a SLA | Learn |
| 185 | cr-004 | Microsoft.ContainerRegistry/registries | Security | High | ContainerRegistry should have private endpoints enabled | Learn |
| 186 | cr-006 | Microsoft.ContainerRegistry/registries | Governance | Low | ContainerRegistry Name should comply with naming conventions | Learn |
| 187 | cr-008 | Microsoft.ContainerRegistry/registries | Security | Medium | ContainerRegistry should have the Administrator account disabled | Learn |
| 188 | cr-009 | Microsoft.ContainerRegistry/registries | Governance | Low | ContainerRegistry should have tags | Learn |
| 189 | cr-010 | Microsoft.ContainerRegistry/registries | Governance | Medium | ContainerRegistry should use retention policies | Learn |
| 190 | 03f4a7d8-c5b4-7842-8e6e-14997a34842b | Microsoft.ContainerRegistry/registries | Security | Medium | Disable anonymous pull access | Learn |
| 191 | e7f0fd54-fba0-054e-9ab8-e676f2851f88 | Microsoft.ContainerRegistry/registries | DisasterRecovery | Low | Enable soft delete policy | Learn |
| 192 | eb005943-40a8-194b-9db2-474d430046b7 | Microsoft.ContainerRegistry/registries | Scalability | High | Use Premium tier for critical production workloads | Learn |
| 193 | 8e389532-5db5-7e4c-9d4d-443b3e55ae82 | Microsoft.ContainerRegistry/registries | Governance | Low | Move Container Registry to a dedicated resource group | Learn |
| 194 | 3ef86f16-f65b-c645-9901-7830d6dc3a1b | Microsoft.ContainerRegistry/registries | Scalability | Medium | Manage registry size | Learn |
| 195 | 63491f70-22e4-3b4a-8b0c-845450e46fac | Microsoft.ContainerRegistry/registries | HighAvailability | Medium | Enable zone redundancy | Learn |
| 196 | 36ea6c09-ef6e-d743-9cfb-bd0c928a430b | Microsoft.ContainerRegistry/registries | DisasterRecovery | High | Create container registries with geo-replication enabled | Learn |
| 197 | dbw-001 | Microsoft.Databricks/workspaces | Monitoring and Alerting | Low | Azure Databricks should have diagnostic settings enabled | Learn |
| 198 | dbw-003 | Microsoft.Databricks/workspaces | High Availability | High | Azure Databricks should have a SLA | Learn |
| 199 | dbw-004 | Microsoft.Databricks/workspaces | Security | High | Azure Databricks should have private endpoints enabled | Learn |
| 200 | dbw-006 | Microsoft.Databricks/workspaces | Governance | Low | Azure Databricks Name should comply with naming conventions | Learn |
| 201 | dbw-007 | Microsoft.Databricks/workspaces | Security | Medium | Azure Databricks should have the Public IP disabled | Learn |
| 202 | dec-001 | Microsoft.Kusto/clusters | Monitoring and Alerting | Low | Azure Data Explorer should have diagnostic settings enabled | Learn |
| 203 | dec-002 | Microsoft.Kusto/clusters | High Availability | High | Azure Data Explorer SLA | Learn |
| 204 | dec-003 | Microsoft.Kusto/clusters | High Availability | High | Azure Data Explorer Production Cluster should not use Dev SKU | Learn |
| 205 | dec-004 | Microsoft.Kusto/clusters | Security | High | Azure Data Explorer should have private endpoints enabled | Learn |
| 206 | dec-005 | Microsoft.Kusto/clusters | Governance | Low | Azure Data Explorer should have tags | Learn |
| 207 | dec-008 | Microsoft.Kusto/clusters | Security | High | Azure Data Explorer should use Disk Encryption | Learn |
| 208 | dec-009 | Microsoft.Kusto/clusters | Security | Low | Azure Data Explorer should use Managed Identities | Learn |
| 209 | 3263a64a-c256-de48-9818-afd3cbc55c2a | Microsoft.Compute/disks | OtherBestPractices | Medium | Shared disks should only be enabled in clustered servers | Learn |
| 210 | fa0cf4f5-0b21-47b7-89a9-ee936f193ce1 | Microsoft.Compute/disks | HighAvailability | Medium | Use Azure Disks with Zone Redundant Storage for higher resiliency and availability | Learn |
| 211 | d40c769d-2f08-4980-8d8f-a386946276e6 | Microsoft.Network/expressRouteCircuits | Scalability | Medium | Implement rate-limiting across ExpressRoute Direct Circuits to optimize network flow | Learn |
| 212 | 60077378-7cb1-4b35-89bb-393884d9921d | Microsoft.Network/ExpressRoutePorts | HighAvailability | High | The Admin State of both Links of an ExpressRoute Direct should be in Enabled state | Learn |
| 213 | 0bee356b-7348-4799-8cab-0c71ffe13018 | Microsoft.Network/ExpressRoutePorts | Scalability | Medium | Ensure ExpressRoute Direct is not over-subscribed | Learn |
| 214 | evgd-001 | Microsoft.EventGrid/domains | Monitoring and Alerting | Low | Event Grid Domain should have diagnostic settings enabled | Learn |
| 215 | evgd-003 | Microsoft.EventGrid/domains | High Availability | High | Event Grid Domain should have a SLA | Learn |
| 216 | evgd-004 | Microsoft.EventGrid/domains | Security | High | Event Grid Domain should have private endpoints enabled | Learn |
| 217 | evgd-006 | Microsoft.EventGrid/domains | Governance | Low | Event Grid Domain Name should comply with naming conventions | Learn |
| 218 | evgd-007 | Microsoft.EventGrid/domains | Governance | Low | Event Grid Domain should have tags | Learn |
| 219 | evgd-008 | Microsoft.EventGrid/domains | Security | Medium | Event Grid Domain should have local authentication disabled | Learn |
| 220 | evh-001 | Microsoft.EventHub/namespaces | Monitoring and Alerting | Low | Event Hub Namespace should have diagnostic settings enabled | Learn |
| 221 | evh-003 | Microsoft.EventHub/namespaces | High Availability | High | Event Hub Namespace should have a SLA | Learn |
| 222 | evh-004 | Microsoft.EventHub/namespaces | Security | High | Event Hub Namespace should have private endpoints enabled | Learn |
| 223 | evh-006 | Microsoft.EventHub/namespaces | Governance | Low | Event Hub Namespace Name should comply with naming conventions | Learn |
| 224 | evh-007 | Microsoft.EventHub/namespaces | Governance | Low | Event Hub should have tags | Learn |
| 225 | evh-008 | Microsoft.EventHub/namespaces | Security | Medium | Event Hub should have local authentication disabled | Learn |
| 226 | 84636c6c-b317-4722-b603-7b1ffc16384b | Microsoft.EventHub/namespaces | HighAvailability | High | Ensure zone redundancy is enabled in supported regions | Learn |
| 227 | fbfef3df-04a5-41b2-a8fd-b8541eb04956 | Microsoft.EventHub/namespaces | Scalability | High | Enable auto-inflate on Event Hub Standard tier | Learn |
| 228 | 1c5e1e58-4e56-491c-8529-10f37af9d4ed | Microsoft.Compute/galleries | HighAvailability | Low | Consider creating TrustedLaunchSupported images where possible | Learn |
| 229 | b49a39fd-f431-4b61-9062-f2157849d845 | Microsoft.Compute/galleries | HighAvailability | Medium | A minimum of three replicas should be kept for production image versions | Learn |
| 230 | 488dcc8b-f2e3-40ce-bf95-73deb2db095f | Microsoft.Compute/galleries | HighAvailability | Medium | Zone redundant storage should be used for image versions | Learn |
| 231 | e7dbd21f-b27a-4b8c-a901-cedb1e6d8e1e | Microsoft.Devices/IotHubs | MonitoringAndAlerting | Low | Disabled Fallback Route | Learn |
| 232 | eeba3a49-fef0-481f-a471-7ff01139b474 | Microsoft.Devices/IotHubs | HighAvailability | High | Do not use free tier | Learn |
| 233 | b1e1378d-4572-4414-bebd-b8872a6d4d1c | Microsoft.Devices/IotHubs | Scalability | High | Use Device Provisioning Service | Learn |
| 234 | it-006 | Microsoft.VirtualMachineImages/imageTemplates | Governance | Low | Image Template Name should comply with naming conventions | Learn |
| 235 | it-007 | Microsoft.VirtualMachineImages/imageTemplates | Governance | Low | Image Template should have tags | Learn |
| 236 | 21fb841b-ba70-1f4e-a460-1f72fb41aa51 | Microsoft.VirtualMachineImages/imageTemplates | DisasterRecovery | Low | Replicate your Image Templates to a secondary region | Learn |
| 237 | kv-001 | Microsoft.KeyVault/vaults | Monitoring and Alerting | Low | Key Vault should have diagnostic settings enabled | Learn |
| 238 | kv-003 | Microsoft.KeyVault/vaults | High Availability | High | Key Vault should have a SLA | Learn |
| 239 | kv-006 | Microsoft.KeyVault/vaults | Governance | Low | Key Vault Name should comply with naming conventions | Learn |
| 240 | kv-007 | Microsoft.KeyVault/vaults | Governance | Low | Key Vault should have tags | Learn |
| 241 | 70fcfe6d-00e9-5544-a63a-fff42b9f2edb | Microsoft.KeyVault/vaults | DisasterRecovery | Medium | Key vaults should have purge protection enabled | Learn |
| 242 | 00c3d2b0-ea6e-4c4b-89be-b78a35caeb51 | Microsoft.KeyVault/vaults | Security | Medium | Private endpoint should be configured for Key Vault | Learn |
| 243 | 1cca00d2-d9ab-8e42-a788-5d40f49405cb | Microsoft.KeyVault/vaults | DisasterRecovery | High | Key vaults should have soft delete enabled | Learn |
| 244 | lb-001 | Microsoft.Network/loadBalancers | Monitoring and Alerting | Low | Load Balancer should have diagnostic settings enabled | Learn |
| 245 | lb-003 | Microsoft.Network/loadBalancers | High Availability | High | Load Balancer should have a SLA | Learn |
| 246 | lb-006 | Microsoft.Network/loadBalancers | Governance | Low | Load Balancer Name should comply with naming conventions | Learn |
| 247 | lb-007 | Microsoft.Network/loadBalancers | Governance | Low | Load Balancer should have tags | Learn |
| 248 | 38c3bca1-97a1-eb42-8cd3-838b243f35ba | Microsoft.Network/loadBalancers | HighAvailability | High | Use Standard Load Balancer SKU | Learn |
| 249 | 6d82d042-6d61-ad49-86f0-6a5455398081 | Microsoft.Network/loadBalancers | HighAvailability | High | Ensure the Backend Pool contains at least two instances | Learn |
| 250 | 8d319a05-677b-944f-b9b4-ca0fb42e883c | Microsoft.Network/loadBalancers | HighAvailability | Medium | Use NAT Gateway instead of Outbound Rules for Production Workloads | Learn |
| 251 | 621dbc78-3745-4d32-8eac-9e65b27b7512 | Microsoft.Network/loadBalancers | HighAvailability | High | Ensure Standard Load Balancer is zone-redundant | Learn |
| 252 | e5f5fcea-f925-4578-8599-9a391e888a60 | Microsoft.Network/loadBalancers | MonitoringAndAlerting | High | Use Health Probes to detect backend instances availability | Learn |
| 253 | log-003 | Microsoft.OperationalInsights/workspaces | High Availability | High | Log Analytics Workspace SLA | Learn |
| 254 | log-006 | Microsoft.OperationalInsights/workspaces | Governance | Low | Log Analytics Workspace Name should comply with naming conventions | Learn |
| 255 | log-007 | Microsoft.OperationalInsights/workspaces | Governance | Low | Log Analytics Workspace should have tags | Learn |
| 256 | logic-001 | Microsoft.Logic/workflows | Monitoring and Alerting | Low | Logic App should have diagnostic settings enabled | Learn |
| 257 | logic-003 | Microsoft.Logic/workflows | High Availability | High | Logic App should have a SLA | Learn |
| 258 | logic-004 | Microsoft.Logic/workflows | Security | High | Logic App should limit access to Http Triggers | Learn |
| 259 | logic-006 | Microsoft.Logic/workflows | Governance | Low | Logic App Name should comply with naming conventions | Learn |
| 260 | logic-007 | Microsoft.Logic/workflows | Governance | Low | Logic App should have tags | Learn |
| 261 | maria-001 | Microsoft.DBforMariaDB/servers | Monitoring and Alerting | Low | MariaDB should have diagnostic settings enabled | Learn |
| 262 | maria-002 | Microsoft.DBforMariaDB/servers | Security | High | MariaDB should have private endpoints enabled | Learn |
| 263 | maria-003 | Microsoft.DBforMariaDB/servers | Governance | Low | MariaDB server Name should comply with naming conventions | Learn |
| 264 | maria-004 | Microsoft.DBforMariaDB/servers | High Availability | High | MariaDB server should have a SLA | Learn |
| 265 | maria-005 | Microsoft.DBforMariaDB/servers | Governance | Low | MariaDB should have tags | Learn |
| 266 | maria-006 | Microsoft.DBforMariaDB/servers | Security | Low | MariaDB should enforce TLS >= 1.2 | Learn |
| 267 | mysql-001 | Microsoft.DBforMySQL/servers | Monitoring and Alerting | Low | Azure Database for MySQL - Single Server should have diagnostic settings enabled | Learn |
| 268 | mysql-003 | Microsoft.DBforMySQL/servers | High Availability | High | Azure Database for MySQL - Single Server should have a SLA | Learn |
| 269 | mysql-004 | Microsoft.DBforMySQL/servers | Security | High | Azure Database for MySQL - Single Server should have private endpoints enabled | Learn |
| 270 | mysql-006 | Microsoft.DBforMySQL/servers | Governance | Low | Azure Database for MySQL - Single Server Name should comply with naming conventions | Learn |
| 271 | mysql-007 | Microsoft.DBforMySQL/servers | High Availability | High | Azure Database for MySQL - Single Server is on the retirement path | Learn |
| 272 | mysql-008 | Microsoft.DBforMySQL/servers | Governance | Low | Azure Database for MySQL - Single Server should have tags | Learn |
| 273 | mysqlf-001 | Microsoft.DBforMySQL/flexibleServers | Monitoring and Alerting | Low | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | Learn |
| 274 | mysqlf-003 | Microsoft.DBforMySQL/flexibleServers | High Availability | High | Azure Database for MySQL - Flexible Server should have a SLA | Learn |
| 275 | mysqlf-004 | Microsoft.DBforMySQL/flexibleServers | Security | High | Azure Database for MySQL - Flexible Server should have private access enabled | Learn |
| 276 | mysqlf-006 | Microsoft.DBforMySQL/flexibleServers | Governance | Low | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | Learn |
| 277 | mysqlf-007 | Microsoft.DBforMySQL/flexibleServers | Governance | Low | Azure Database for MySQL - Flexible Server should have tags | Learn |
| 278 | 8176a79d-8645-4e52-96be-a10fc0204fe5 | Microsoft.DBforMySQL/flexibleServers | Scalability | High | Configure storage auto-grow | Learn |
| 279 | 88856605-53d8-4bbd-a75b-4a7b14939d32 | Microsoft.DBforMySQL/flexibleServers | HighAvailability | High | Enable HA with zone redundancy | Learn |
| 280 | 82a9a0f2-24ee-496f-9ad2-25f81710942d | Microsoft.DBforMySQL/flexibleServers | Scalability | High | Enable custom maintenance schedule | Learn |
| 281 | 5c96afc3-7d2e-46ff-a4c7-9c32850c441b | Microsoft.DBforMySQL/flexibleServers | DisasterRecovery | High | Configure geo redundant backup storage | Learn |
| 282 | b49a8653-cc43-48c9-8513-a2d2e3f14dd1 | Microsoft.DBforMySQL/flexibleServers | DisasterRecovery | High | Configure one or more read replicas | Learn |
| 283 | b2fb3e60-97ec-e34d-af29-b16a0d61c2ac | Microsoft.NetApp/netAppAccounts | DisasterRecovery | High | Enable backup for data protection in Azure NetApp Files | Learn |
| 284 | ab984130-c57b-6c4a-8d04-6723b4e1bdb6 | Microsoft.NetApp/netAppAccounts | Scalability | High | Use standard network features for production in Azure NetApp Files | Learn |
| 285 | 47d100a5-7f85-5742-967a-67eb5081240a | Microsoft.NetApp/netAppAccounts | HighAvailability | High | Use availability zones for high availability in Azure NetApp Files | Learn |
| 286 | 72827434-c773-4345-9493-34848ddf5803 | Microsoft.NetApp/netAppAccounts | HighAvailability | High | Use snapshots for data protection in Azure NetApp Files | Learn |
| 287 | e30317d2-c502-4dfe-a2d3-0a737cc79545 | Microsoft.NetApp/netAppAccounts | DisasterRecovery | High | Enable Cross-region replication of Azure NetApp Files volumes | Learn |
| 288 | e3d742e1-dacd-9b48-b6b1-510ec9f87c96 | Microsoft.NetApp/netAppAccounts | DisasterRecovery | High | Enable Cross-zone replication of Azure NetApp Files volumes | Learn |
| 289 | ng-001 | Microsoft.Network/natGateways | Monitoring and Alerting | Low | NAT Gateway should have diagnostic settings enabled | Learn |
| 290 | ng-003 | Microsoft.Network/natGateways | High Availability | High | NAT Gateway SLA | Learn |
| 291 | ng-006 | Microsoft.Network/natGateways | Governance | Low | NAT Gateway Name should comply with naming conventions | Learn |
| 292 | ng-007 | Microsoft.Network/natGateways | Governance | Low | NAT Gateway should have tags | Learn |
| 293 | nsg-001 | Microsoft.Network/networkSecurityGroups | Monitoring and Alerting | Low | NSG should have diagnostic settings enabled | Learn |
| 294 | nsg-003 | Microsoft.Network/networkSecurityGroups | High Availability | High | NSG SLA | Learn |
| 295 | nsg-006 | Microsoft.Network/networkSecurityGroups | Governance | Low | NSG Name should comply with naming conventions | Learn |
| 296 | nsg-007 | Microsoft.Network/networkSecurityGroups | Governance | Low | NSG should have tags | Learn |
| 297 | 8291c1fa-650c-b44b-b008-4deb7465919d | Microsoft.Network/networkSecurityGroups | Security | Medium | The NSG only has Default Security Rules, make sure to configure the necessary rules | Learn |
| 298 | 8bb4a57b-55e4-d24e-9c19-2679d8bc779f | Microsoft.Network/networkSecurityGroups | MonitoringAndAlerting | Low | Monitor changes in Network Security Groups with Azure Monitor | Learn |
| 299 | nw-003 | Microsoft.Network/networkWatchers | High Availability | High | Network Watcher SLA | Learn |
| 300 | nw-006 | Microsoft.Network/networkWatchers | Governance | Low | Network Watcher Name should comply with naming conventions | Learn |
| 301 | nw-007 | Microsoft.Network/networkWatchers | Governance | Low | Network Watcher should have tags | Learn |
| 302 | 22a769ed-0ecb-8b49-bafe-8f52e6373d9c | Microsoft.Network/networkWatchers | MonitoringAndAlerting | Low | Fix Flow Log configurations in Failed state or Disabled Status | Learn |
| 303 | bf0b7dbd-016d-458c-af99-70fcb03ad451 | Microsoft.Network/networkWatchers | MonitoringAndAlerting | Medium | Enable traffic analytics in Virtual Network Flow Logs configuration | Learn |
| 304 | pep-003 | Microsoft.Network/privateEndpoints | High Availability | High | Private Endpoint SLA | Learn |
| 305 | pep-006 | Microsoft.Network/privateEndpoints | Governance | Low | Private Endpoint Name should comply with naming conventions | Learn |
| 306 | pep-007 | Microsoft.Network/privateEndpoints | Governance | Low | Private Endpoint should have tags | Learn |
| 307 | b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7 | Microsoft.Network/privateEndpoints | HighAvailability | Medium | Resolve issues with Private Endpoints in non Succeeded connection state | Learn |
| 308 | pip-003 | Microsoft.Network/publicIPAddresses | High Availability | High | Public IP SLA | Learn |
| 309 | pip-006 | Microsoft.Network/publicIPAddresses | Governance | Low | Public IP Name should comply with naming conventions | Learn |
| 310 | pip-007 | Microsoft.Network/publicIPAddresses | Governance | Low | Public IP should have tags | Learn |
| 311 | c4254c66-b8a5-47aa-82f6-e7d7fb418f47 | Microsoft.Network/publicIPAddresses | Security | Medium | Public IP addresses should have DDoS protection enabled | Learn |
| 312 | c63b81fb-7afc-894c-a840-91bb8a8dcfaf | Microsoft.Network/publicIPAddresses | HighAvailability | High | Use Standard SKU and Zone-Redundant IPs when applicable | Learn |
| 313 | 1adba190-5c4c-e646-8527-dd1b2a6d8b15 | Microsoft.Network/publicIPAddresses | HighAvailability | Medium | Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion | Learn |
| 314 | 5cea1501-6fe4-4ec4-ac8f-f72320eb18d3 | Microsoft.Network/publicIPAddresses | HighAvailability | Medium | Upgrade Basic SKU public IP addresses to Standard SKU | Learn |
| 315 | psql-001 | Microsoft.DBforPostgreSQL/servers | Monitoring and Alerting | Low | PostgreSQL should have diagnostic settings enabled | Learn |
| 316 | psql-003 | Microsoft.DBforPostgreSQL/servers | High Availability | High | PostgreSQL should have a SLA | Learn |
| 317 | psql-004 | Microsoft.DBforPostgreSQL/servers | Security | High | PostgreSQL should have private endpoints enabled | Learn |
| 318 | psql-006 | Microsoft.DBforPostgreSQL/servers | Governance | Low | PostgreSQL Name should comply with naming conventions | Learn |
| 319 | psql-007 | Microsoft.DBforPostgreSQL/servers | Governance | Low | PostgreSQL should have tags | Learn |
| 320 | psql-008 | Microsoft.DBforPostgreSQL/servers | Security | High | PostgreSQL should enforce SSL | Learn |
| 321 | psql-009 | Microsoft.DBforPostgreSQL/servers | Security | Low | PostgreSQL should enforce TLS >= 1.2 | Learn |
| 322 | psqlf-001 | Microsoft.DBforPostgreSQL/flexibleServers | Monitoring and Alerting | Low | PostgreSQL should have diagnostic settings enabled | Learn |
| 323 | psqlf-003 | Microsoft.DBforPostgreSQL/flexibleServers | High Availability | High | PostgreSQL should have a SLA | Learn |
| 324 | psqlf-004 | Microsoft.DBforPostgreSQL/flexibleServers | Security | High | PostgreSQL should have private access enabled | Learn |
| 325 | psqlf-006 | Microsoft.DBforPostgreSQL/flexibleServers | Governance | Low | PostgreSQL Name should comply with naming conventions | Learn |
| 326 | psqlf-007 | Microsoft.DBforPostgreSQL/flexibleServers | Governance | Low | PostgreSQL should have tags | Learn |
| 327 | ca87914f-aac4-4783-ab67-82a6f936f194 | Microsoft.DBforPostgreSQL/flexibleServers | HighAvailability | High | Enable HA with zone redundancy | Learn |
| 328 | b2bad57d-7e03-4c0f-9024-597c9eb295bb | Microsoft.DBforPostgreSQL/flexibleServers | Scalability | High | Enable custom maintenance schedule | Learn |
| 329 | 31f4ac4b-29cb-4588-8de2-d8fe6f13ceb3 | Microsoft.DBforPostgreSQL/flexibleServers | DisasterRecovery | High | Configure geo redundant backup storage | Learn |
| 330 | 2ab85a67-26be-4ed2-a0bb-101b2513ec63 | Microsoft.DBforPostgreSQL/flexibleServers | DisasterRecovery | High | Configure one or more read replicas | Learn |
| 331 | redis-001 | Microsoft.Cache/Redis | Monitoring and Alerting | Low | Redis should have diagnostic settings enabled | Learn |
| 332 | redis-003 | Microsoft.Cache/Redis | High Availability | High | Redis should have a SLA | Learn |
| 333 | redis-006 | Microsoft.Cache/Redis | Governance | Low | Redis Name should comply with naming conventions | Learn |
| 334 | redis-007 | Microsoft.Cache/Redis | Governance | Low | Redis should have tags | Learn |
| 335 | redis-008 | Microsoft.Cache/Redis | Security | High | Redis should not enable non SSL ports | Learn |
| 336 | redis-009 | Microsoft.Cache/Redis | Security | Low | Redis should enforce TLS >= 1.2 | Learn |
| 337 | c474fc96-4e6a-4fb0-95d0-a26b3f35933c | Microsoft.Cache/redis | Security | Medium | Configure Private Endpoints | Learn |
| 338 | 5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8 | Microsoft.Cache/Redis | HighAvailability | High | Enable zone redundancy for Azure Cache for Redis | Learn |
| 339 | 17e877f7-3a89-4205-8a24-0670de54ddcd | Microsoft.RecoveryServices/vaults | DisasterRecovery | High | Validate VM functionality with a Site Recovery test failover to check performance at target | Learn |
| 340 | 2912472d-0198-4bdc-aa90-37f145790edc | Microsoft.RecoveryServices/vaults | MonitoringAndAlerting | Medium | Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults | Learn |
| 341 | 1549b91f-2ea0-4d4f-ba2a-4596becbe3de | Microsoft.RecoveryServices/vaults | DisasterRecovery | Medium | Enable Cross Region Restore for your GRS Recovery Services Vault | Learn |
| 342 | 9e39919b-78af-4a0b-b70f-c548dae97c25 | Microsoft.RecoveryServices/vaults | DisasterRecovery | Medium | Enable Soft Delete for Recovery Services Vaults in Azure Backup | Learn |
| 343 | udr-003 | Microsoft.Network/routeTables | High Availability | High | Rout Table SLA | Learn |
| 344 | udr-006 | Microsoft.Network/routeTables | Governance | Low | Rout Table Name should comply with naming conventions | Learn |
| 345 | udr-007 | Microsoft.Network/routeTables | Governance | Low | Rout Table should have tags | Learn |
| 346 | 23b2dfc7-7e5d-9443-9f62-980ca621b561 | Microsoft.Network/routeTables | MonitoringAndAlerting | Medium | Monitor changes in Route Tables with Azure Monitor | Learn |
| 347 | sb-001 | Microsoft.ServiceBus/namespaces | Monitoring and Alerting | Low | Service Bus should have diagnostic settings enabled | Learn |
| 348 | sb-003 | Microsoft.ServiceBus/namespaces | High Availability | High | Service Bus should have a SLA | Learn |
| 349 | sb-004 | Microsoft.ServiceBus/namespaces | Security | High | Service Bus should have private endpoints enabled | Learn |
| 350 | sb-006 | Microsoft.ServiceBus/namespaces | Governance | Low | Service Bus Name should comply with naming conventions | Learn |
| 351 | sb-007 | Microsoft.ServiceBus/namespaces | Governance | Low | Service Bus should have tags | Learn |
| 352 | sb-008 | Microsoft.ServiceBus/namespaces | Security | Medium | Service Bus should have local authentication disabled | Learn |
| 353 | f075a1bd-de9e-4819-9a1d-1ac41037a74f | Microsoft.ServiceBus/namespaces | ServiceUpgradeAndRetirement | High | Configure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higher | Learn |
| 354 | sigr-001 | Microsoft.SignalRService/SignalR | Monitoring and Alerting | Low | SignalR should have diagnostic settings enabled | Learn |
| 355 | sigr-003 | Microsoft.SignalRService/SignalR | High Availability | High | SignalR should have a SLA | Learn |
| 356 | sigr-004 | Microsoft.SignalRService/SignalR | Security | High | SignalR should have private endpoints enabled | Learn |
| 357 | sigr-006 | Microsoft.SignalRService/SignalR | Governance | Low | SignalR Name should comply with naming conventions | Learn |
| 358 | sigr-007 | Microsoft.SignalRService/SignalR | Governance | Low | SignalR should have tags | Learn |
| 359 | 6a8b3db9-5773-413a-a127-4f7032f34bbd | Microsoft.SignalRService/SignalR | HighAvailability | High | Enable zone redundancy for SignalR | Learn |
| 360 | sql-004 | Microsoft.Sql/servers | Security | High | SQL should have private endpoints enabled | Learn |
| 361 | sql-006 | Microsoft.Sql/servers | Governance | Low | SQL Name should comply with naming conventions | Learn |
| 362 | sql-007 | Microsoft.Sql/servers | Governance | Low | SQL should have tags | Learn |
| 363 | sql-008 | Microsoft.Sql/servers | Security | Low | SQL should enforce TLS >= 1.2 | Learn |
| 364 | sqldb-001 | Microsoft.Sql/servers/databases | Monitoring and Alerting | Low | SQL Database should have diagnostic settings enabled | Learn |
| 365 | sqldb-003 | Microsoft.Sql/servers/databases | High Availability | High | SQL Database should have a SLA | Learn |
| 366 | sqldb-006 | Microsoft.Sql/servers/databases | Governance | Low | SQL Database Name should comply with naming conventions | Learn |
| 367 | sqldb-007 | Microsoft.Sql/servers/databases | Governance | Low | SQL Database should have tags | Learn |
| 368 | sqlep-002 | Microsoft.Sql/servers/elasticPools | Governance | Low | SQL Elastic Pool Name should comply with naming conventions | Learn |
| 369 | sqlep-003 | Microsoft.Sql/servers/elasticPools | Governance | Low | SQL Elastic Pool should have tags | Learn |
| 370 | 74c2491d-048b-0041-a140-935960220e20 | Microsoft.Sql/servers | DisasterRecovery | High | Use Active Geo Replication to Create a Readable Secondary in Another Region | Learn |
| 371 | 943c168a-2ec2-a94c-8015-85732a1b4859 | Microsoft.Sql/servers | DisasterRecovery | High | Auto Failover Groups can encompass one or multiple databases, usually used by the same app. | Learn |
| 372 | c0085c32-84c0-c247-bfa9-e70977cbf108 | Microsoft.Sql/servers | HighAvailability | High | Enable zone redundancy for Azure SQL Database to achieve high availability and resiliency | Learn |
| 373 | 7e7daec9-6a81-3546-a4cc-9aef72fec1f7 | Microsoft.Sql/servers | MonitoringAndAlerting | High | Monitor your Azure SQL Database in Near Real-Time to Detect Reliability Incidents | Learn |
| 374 | st-001 | Microsoft.Storage/storageAccounts | Monitoring and Alerting | Low | Storage should have diagnostic settings enabled | Learn |
| 375 | st-003 | Microsoft.Storage/storageAccounts | High Availability | High | Storage should have a SLA | Learn |
| 376 | st-006 | Microsoft.Storage/storageAccounts | Governance | Low | Storage Name should comply with naming conventions | Learn |
| 377 | st-007 | Microsoft.Storage/storageAccounts | Security | High | Storage Account should use HTTPS only | Learn |
| 378 | st-008 | Microsoft.Storage/storageAccounts | Governance | Low | Storage Account should have tags | Learn |
| 379 | st-009 | Microsoft.Storage/storageAccounts | Security | Low | Storage Account should enforce TLS >= 1.2 | Learn |
| 380 | st-010 | Microsoft.Storage/storageAccounts | Disaster Recovery | Low | Storage Account should have inmutable storage versioning enabled | Learn |
| 381 | st-011 | Microsoft.Storage/storageAccounts | Disaster Recovery | Medium | Storage Account should have soft delete enabled | Learn |
| 382 | 2ad78dec-5a4d-4a30-8fd1-8584335ad781 | Microsoft.Storage/storageAccounts | Scalability | Low | Consider upgrading legacy storage accounts to v2 storage accounts | Learn |
| 383 | dc55be60-6f8c-461e-a9d5-a3c7686ed94e | Microsoft.Storage/storageAccounts | Security | Medium | Enable Azure Private Link service for storage accounts | Learn |
| 384 | e6c7e1cc-2f47-264d-aa50-1da421314472 | Microsoft.Storage/storageAccounts | HighAvailability | High | Ensure that storage accounts are zone or region redundant | Learn |
| 385 | syndp-001 | Microsoft.Synapse/workspaces/sqlPools | Governance | Low | Azure Synapse Dedicated SQL Pool Name should comply with naming conventions | Learn |
| 386 | syndp-002 | Microsoft.Synapse/workspaces/sqlPools | High Availability | High | Azure Synapse Dedicated SQL Pool SLA | Learn |
| 387 | syndp-003 | Microsoft.Synapse/workspaces/sqlPools | Governance | Low | Azure Synapse Dedicated SQL Pool should have tags | Learn |
| 388 | synsp-001 | Microsoft.Synapse workspaces/bigDataPools | Governance | Low | Azure Synapse Spark Pool Name should comply with naming conventions | Learn |
| 389 | synsp-002 | Microsoft.Synapse workspaces/bigDataPools | High Availability | High | Azure Synapse Spark Pool SLA | Learn |
| 390 | synsp-003 | Microsoft.Synapse workspaces/bigDataPools | Governance | Low | Azure Synapse Spark Pool should have tags | Learn |
| 391 | synw-001 | Microsoft.Synapse/workspaces | Monitoring and Alerting | Low | Azure Synapse Workspace should have diagnostic settings enabled | Learn |
| 392 | synw-002 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should have private endpoints enabled | Learn |
| 393 | synw-003 | Microsoft.Synapse/workspaces | High Availability | High | Azure Synapse Workspace SLA | Learn |
| 394 | synw-004 | Microsoft.Synapse/workspaces | Governance | Low | Azure Synapse Workspace Name should comply with naming conventions | Learn |
| 395 | synw-005 | Microsoft.Synapse/workspaces | Governance | Low | Azure Synapse Workspace should have tags | Learn |
| 396 | synw-006 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should establish network segmentation boundaries | Learn |
| 397 | synw-007 | Microsoft.Synapse/workspaces | Security | High | Azure Synapse Workspace should disable public network access | Learn |
| 398 | traf-001 | Microsoft.Network/trafficManagerProfiles | Monitoring and Alerting | Low | Traffic Manager should have diagnostic settings enabled | Learn |
| 399 | traf-002 | Microsoft.Network/trafficManagerProfiles | High Availability | High | Traffic Manager should have availability zones enabled | Learn |
| 400 | traf-003 | Microsoft.Network/trafficManagerProfiles | High Availability | High | Traffic Manager should have a SLA | Learn |
| 401 | traf-006 | Microsoft.Network/trafficManagerProfiles | Governance | Low | Traffic Manager Name should comply with naming conventions | Learn |
| 402 | traf-007 | Microsoft.Network/trafficManagerProfiles | Governance | Low | Traffic Manager should have tags | Learn |
| 403 | traf-009 | Microsoft.Network/trafficManagerProfiles | Security | High | Traffic Manager: HTTP endpoints should be monitored using HTTPS | Learn |
| 404 | f05a3e6d-49db-2740-88e2-2b13706c1f67 | Microsoft.Network/trafficManagerProfiles | HighAvailability | High | Traffic Manager Monitor Status Should be Online | Learn |
| 405 | 5b422a7f-8caa-3d48-becb-511599e5bba9 | Microsoft.Network/trafficManagerProfiles | HighAvailability | Medium | Traffic manager profiles should have more than one endpoint | Learn |
| 406 | 1ad9d7b7-9692-1441-a8f4-93792efbe97a | Microsoft.Network/trafficManagerProfiles | DisasterRecovery | Medium | Configure at least one endpoint within a another region | Learn |
| 407 | c31f76a0-48cd-9f44-aa43-99ee904db9bc | Microsoft.Network/trafficManagerProfiles | DisasterRecovery | High | Ensure endpoint configured to (All World) for geographic profiles | Learn |
| 408 | 9437634c-d69e-2747-b13e-631c13182150 | Microsoft.Network/trafficManagerProfiles | BusinessContinuity | High | Avoid combining Traffic Manager and Front Door | Learn |
| 409 | 979ff8be-5f3a-4d8e-9aa3-407ecdd6d6f7 | Microsoft.DesktopVirtualization/hostPools | Governance | Medium | Configure host pool scheduled agent updates | Learn |
| 410 | vgw-001 | Microsoft.Network/virtualNetworkGateways | Monitoring and Alerting | Low | Virtual Network Gateway should have diagnostic settings enabled | Learn |
| 411 | vgw-002 | Microsoft.Network/virtualNetworkGateways | Governance | Low | Virtual Network Gateway Name should comply with naming conventions | Learn |
| 412 | vgw-003 | Microsoft.Network/virtualNetworkGateways | Governance | Low | Virtual Network Gateway should have tags | Learn |
| 413 | vgw-004 | Microsoft.Network/virtualNetworkGateways | High Availability | High | Virtual Network Gateway should have a SLA | Learn |
| 414 | vgw-005 | Microsoft.Network/virtualNetworkGateways | High Availability | High | Storage should have availability zones enabled | Learn |
| 415 | 281a2713-c0e0-3c48-b596-19f590c46671 | Microsoft.Network/virtualNetworkGateways | HighAvailability | Medium | Enable Active-Active VPN Gateways for redundancy | Learn |
| 416 | bbe668b7-eb5c-c746-8b82-70afdedf0cae | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Use Zone-redundant ExpressRoute gateway SKUs | Learn |
| 417 | 3e115044-a3aa-433e-be01-ce17d67e50da | Microsoft.Network/virtualNetworkGateways | HighAvailability | Medium | Configure customer-controlled ExpressRoute gateway maintenance | Learn |
| 418 | 5b1933a6-90e4-f642-a01f-e58594e5aab2 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Choose a Zone-redundant VPN gateway | Learn |
| 419 | d37db635-157f-584d-9bce-4f6fc8c65ce5 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Connect ExpressRoute gateway with circuits from diverse peering locations | Learn |
| 420 | 4bae5a28-5cf4-40d9-bcf1-623d28f6d917 | Microsoft.Network/virtualNetworkGateways | HighAvailability | High | Deploy VPN gateways with zone-redundant Public IPs | Learn |
| 421 | vm-003 | Microsoft.Compute/virtualMachines | High Availability | High | Virtual Machine should have a SLA | Learn |
| 422 | vm-006 | Microsoft.Compute/virtualMachines | Governance | Low | Virtual Machine Name should comply with naming conventions | Learn |
| 423 | vm-007 | Microsoft.Compute/virtualMachines | Governance | Low | Virtual Machine should have tags | Learn |
| 424 | 4ea2878f-0d69-8d4a-b715-afc10d1e538e | Microsoft.Compute/virtualMachines | Scalability | Low | Host database data on a data disk | Learn |
| 425 | f0a97179-133a-6e4f-8a49-8a44da73ffce | Microsoft.Compute/virtualMachines | Security | High | Virtual Machines should have Azure Disk Encryption or EncryptionAtHost enabled | Learn |
| 426 | c42343ae-2712-2843-a285-3437eb0b28a1 | Microsoft.Compute/virtualMachines | Governance | Low | Ensure that your VMs are compliant with Azure Policies | Learn |
| 427 | 302fda08-ee65-4fbe-a916-6dc0b33169c4 | Microsoft.Compute/virtualMachines | HighAvailability | High | Reserve Compute Capacity for critical workloads | Learn |
| 428 | 2bd0be95-a825-6f47-a8c6-3db1fb5eb387 | Microsoft.Compute/virtualMachines | HighAvailability | High | Deploy VMs across Availability Zones | Learn |
| 429 | 98b334c0-8578-6046-9e43-b6e8fce6318e | Microsoft.Compute/virtualMachines | Governance | Low | Review VMs in stopped state | Learn |
| 430 | 1f629a30-c9d0-d241-82ee-6f2eb9d42cb4 | Microsoft.Compute/virtualMachines | Security | Medium | VMs should not have a Public IP directly associated | Learn |
| 431 | b72214bb-e879-5f4b-b9cd-642db84f36f4 | Microsoft.Compute/virtualMachines | MonitoringAndAlerting | Low | Enable VM Insights | Learn |
| 432 | 4a9d8973-6dba-0042-b3aa-07924877ebd5 | Microsoft.Compute/virtualMachines | MonitoringAndAlerting | Low | Configure monitoring for all Azure Virtual Machines | Learn |
| 433 | 1cf8fe21-9593-1e4e-966b-779a294c0d30 | Microsoft.Compute/virtualMachines | OtherBestPractices | Low | Customer DNS Servers should be configured in the Virtual Network level | Learn |
| 434 | df0ff862-814d-45a3-95e4-4fad5a244ba6 | Microsoft.Compute/virtualMachines | Scalability | High | Mission Critical Workloads should consider using Premium or Ultra Disks | Learn |
| 435 | 70b1d2be-e6c4-b54e-9959-b1b690f9e485 | Microsoft.Compute/virtualMachines | Security | Low | Network access to the VM disk should be set to Disable public access and enable private access | Learn |
| 436 | 3201dba8-d1da-4826-98a4-104066545170 | Microsoft.Compute/virtualMachines | Scalability | High | Don’t use A or B-Series VMs for production needing constant full CPU performance | Learn |
| 437 | a8d25876-7951-b646-b4e8-880c9031596b | Microsoft.Compute/virtualMachines | HighAvailability | High | Migrate VMs using availability sets to VMSS Flex | Learn |
| 438 | cfe22a65-b1db-fd41-9e8e-d573922709ae | Microsoft.Compute/virtualMachines | DisasterRecovery | Medium | Replicate VMs using Azure Site Recovery | Learn |
| 439 | dfedbeb1-1519-fc47-86a5-52f96cf07105 | Microsoft.Compute/virtualMachines | Scalability | Medium | Enable Accelerated Networking (AccelNet) | Learn |
| 440 | 273f6b30-68e0-4241-85ea-acf15ffb60bf | Microsoft.Compute/virtualMachines | HighAvailability | High | Run production workloads on two or more VMs using VMSS Flex | Learn |
| 441 | 82b3cf6b-9ae2-2e44-b193-10793213f676 | Microsoft.Compute/virtualMachines | Security | Low | VM network interfaces and associated subnets both have a Network Security Group associated | Learn |
| 442 | 52ab9e5c-eec0-3148-8bd7-b6dd9e1be870 | Microsoft.Compute/virtualMachines | HighAvailability | High | Use maintenance configurations for the VMs | Learn |
| 443 | 122d11d7-b91f-8747-a562-f56b79bcfbdc | Microsoft.Compute/virtualMachines | HighAvailability | High | Use Managed Disks for VM disks | Learn |
| 444 | 1981f704-97b9-b645-9c57-33f8ded9261a | Microsoft.Compute/virtualMachines | DisasterRecovery | Medium | Backup VMs with Azure Backup service | Learn |
| 445 | 41a22a5e-5e08-9647-92d0-2ffe9ef1bdad | Microsoft.Compute/virtualMachines | Security | Medium | IP Forwarding should only be enabled for Network Virtual Appliances | Learn |
| 446 | vmss-003 | Microsoft.Compute/virtualMachineScaleSets | High Availability | High | Virtual Machine should have a SLA | Learn |
| 447 | vmss-004 | Microsoft.Compute/virtualMachineScaleSets | Governance | Low | Virtual Machine Scale Set Name should comply with naming conventions | Learn |
| 448 | vmss-005 | Microsoft.Compute/virtualMachineScaleSets | Governance | Low | Virtual Machine Scale Set should have tags | Learn |
| 449 | e7495e1c-0c75-0946-b266-b429b5c7f3bf | Microsoft.Compute/virtualMachineScaleSets | Scalability | Medium | Deploy VMSS with Flex orchestration mode instead of Uniform | Learn |
| 450 | 94794d2a-eff0-2345-9b67-6f9349d0a627 | Microsoft.Compute/virtualMachineScaleSets | MonitoringAndAlerting | Medium | Enable Azure Virtual Machine Scale Set Application Health Monitoring | Learn |
| 451 | ee66ff65-9aa3-2345-93c1-25827cf79f44 | Microsoft.Compute/virtualMachineScaleSets | Scalability | High | Configure VMSS Autoscale to custom and configure the scaling metrics | Learn |
| 452 | 1422c567-782c-7148-ac7c-5fc14cf45adc | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Deploy VMSS across availability zones with VMSS Flex | Learn |
| 453 | 820f4743-1f94-e946-ae0b-45efafd87962 | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Enable Automatic Repair Policy on Azure Virtual Machine Scale Sets | Learn |
| 454 | 3f85a51c-e286-9f44-b4dc-51d00768696c | Microsoft.Compute/virtualMachineScaleSets | Scalability | Low | Enable Predictive autoscale and configure at least for Forecast Only | Learn |
| 455 | b5a63aa0-c58e-244f-b8a6-cbba0560a6db | Microsoft.Compute/virtualMachineScaleSets | HighAvailability | High | Disable Force strictly even balance across zones to avoid scale in and out fail attempts | Learn |
| 456 | e4ffd7b0-ba24-c84e-9352-ba4819f908c0 | Microsoft.Compute/virtualMachineScaleSets | OtherBestPractices | Low | Set Patch orchestration options to Azure-orchestrated | Learn |
| 457 | vnet-001 | Microsoft.Network/virtualNetworks | Monitoring and Alerting | Low | Virtual Network should have diagnostic settings enabled | Learn |
| 458 | vnet-006 | Microsoft.Network/virtualNetworks | Governance | Low | Virtual Network Name should comply with naming conventions | Learn |
| 459 | vnet-007 | Microsoft.Network/virtualNetworks | Governance | Low | Virtual Network should have tags | Learn |
| 460 | vnet-009 | Microsoft.Network/virtualNetworks | High Availability | High | Virtual Network should have at least two DNS servers assigned | Learn |
| 461 | 69ea1185-19b7-de40-9da1-9e8493547a5c | Microsoft.Network/virtualNetworks | Security | High | Shield public endpoints in Azure VNets with Azure DDoS Standard Protection Plans | Learn |
| 462 | 24ae3773-cc2c-3649-88de-c9788e25b463 | Microsoft.Network/virtualNetworks | Security | Medium | When available, use Private Endpoints instead of Service Endpoints for PaaS Services | Learn |
| 463 | 06b77be9-56a3-4d41-b362-8b295c5a283d | Microsoft.Network/virtualNetworks | MonitoringAndAlerting | Medium | Enable Virtual Network Flow Logs | Learn |
| 464 | f0bf9ae6-25a5-974d-87d5-025abec73539 | Microsoft.Network/virtualNetworks | Security | Low | All Subnets should have a Network Security Group associated | Learn |
| 465 | vwa-001 | Microsoft.Network/virtualWans | Monitoring and Alerting | Medium | Virtual WAN should have diagnostic settings enabled | Learn |
| 466 | vwa-002 | Microsoft.Network/virtualWans | High Availability | High | Virtual WAN should have availability zones enabled | Learn |
| 467 | vwa-003 | Microsoft.Network/virtualWans | High Availability | High | Virtual WAN should have a SLA | Learn |
| 468 | vwa-005 | Microsoft.Network/virtualWans | High Availability | High | Virtual WAN Type | Learn |
| 469 | vwa-006 | Microsoft.Network/virtualWans | Governance | Low | Virtual WAN Name should comply with naming conventions | Learn |
| 470 | vwa-007 | Microsoft.Network/virtualWans | Governance | Low | Virtual WAN should have tags | Learn |
| 471 | wps-001 | Microsoft.SignalRService/webPubSub | Monitoring and Alerting | Low | Web Pub Sub should have diagnostic settings enabled | Learn |
| 472 | wps-002 | Microsoft.SignalRService/webPubSub | High Availability | High | Web Pub Sub should have availability zones enabled | Learn |
| 473 | wps-003 | Microsoft.SignalRService/webPubSub | High Availability | High | Web Pub Sub should have a SLA | Learn |
| 474 | wps-004 | Microsoft.SignalRService/webPubSub | Security | High | Web Pub Sub should have private endpoints enabled | Learn |
| 475 | wps-006 | Microsoft.SignalRService/webPubSub | Governance | Low | Web Pub Sub Name should comply with naming conventions | Learn |
| 476 | wps-007 | Microsoft.SignalRService/webPubSub | Governance | Low | Web Pub Sub should have tags | Learn |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified January 23, 2025: feat: added defender recommendations #325 fix: #337 (0dab144)