New Delhi , Moti Nagar
+91-9007641046
subhendu@subhendumct.com

All Azure policy in one place

Live in Future - Live in Cloud

All Azure policy in one place

You may tried to find all azure policy in one place in simple text . But you haven’t found that one and that happened with me as well . So I spend hours to create one . Here is the list of all Azure Policy in one place .

Here is all built-in policy :-

Advanced data security should be enabled on your SQL servers
Advanced Threat Protection types should be set to ‘All’ in SQL managed instance Advanced Data Security settings
Advanced Threat Protection types should be set to ‘All’ in SQL server Advanced Data Security settings
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace
An Azure Active Directory administrator should be provisioned for SQL servers
API App should only be accessible over HTTPS
Append tag and its default value to resource groups
Append tag and its default value
Append tag and its value from the resource group
Audit diagnostic setting
Audit Linux VMs that do not have the specified applications installed
Audit Linux VMs that have the specified applications installed
Audit resource location matches resource group location
Audit SQL DB Level Audit Setting
Audit unrestricted network access to storage accounts
Audit usage of custom RBAC rules
Audit Windows Server VMs on which Windows Serial Console is not enabled
Audit Windows VMs in which the Administrators group contains any of the specified members
Audit Windows VMs in which the Administrators group does not contain all of the specified members
Audit Windows VMs in which the Administrators group does not contain only the specified members
Audit Windows VMs on which the specified services are not installed and ‘Running’
Audit Windows VMs that are not joined to the specified domain
Audit Windows VMs that are not set to the specified time zone
Audit Windows VMs that do not have the specified applications installed
Audit Windows VMs that do not have the specified Windows PowerShell execution policy
Audit Windows VMs that do not have the specified Windows PowerShell modules installed
Audit Windows VMs that have the specified applications installed
Audit Windows web servers that are not using secure communication protocols
Auditing should be enabled on advanced data security settings on SQL Server
Authorization rules on the Event Hub instance should be defined
Automatic provisioning of security monitoring agent
Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription
Automation account variables should be encrypted
CORS should not allow every resource to access your API App
CORS should not allow every resource to access your Function Apps
CORS should not allow every resource to access your Web Applications
Deploy Advanced Data Security on SQL servers
Deploy Advanced Threat Protection for Cosmos DB Accounts
Deploy Advanced Threat Protection on Storage Accounts
Deploy Auditing on SQL servers
Deploy default Log Analytics Agent for Ubuntu VMs
Deploy default Microsoft IaaSAntimalware extension for Windows Server
Deploy Diagnostic Settings for Azure SQL Database to Event Hub
Deploy Diagnostic Settings for Key Vault to Event Hub
Deploy Diagnostic Settings for Network Security Groups
Deploy network watcher when virtual networks are created
Deploy requirements to audit Linux VMs that do not have the specified applications installed
Deploy requirements to audit Linux VMs that have the specified applications installed
Deploy requirements to audit Windows Server VMs on which Windows Serial Console is not enabled
Deploy requirements to audit Windows VMs in which the Administrators group contains any of the specified members
Deploy requirements to audit Windows VMs in which the Administrators group does not contain all of the specified members
Deploy requirements to audit Windows VMs in which the Administrators group does not contain only the specified members
Deploy requirements to audit Windows VMs on which the specified services are not installed and ‘Running’
Deploy requirements to audit Windows VMs that are not joined to the specified domain
Deploy requirements to audit Windows VMs that are not set to the specified time zone
Deploy requirements to audit Windows VMs that do not have the specified applications installed
Deploy requirements to audit Windows VMs that do not have the specified Windows PowerShell execution policy
Deploy requirements to audit Windows VMs that do not have the specified Windows PowerShell modules installed
Deploy requirements to audit Windows VMs that have the specified applications installed
Deploy requirements to audit Windows VMs with a pending reboot
Deploy requirements to audit Windows web servers that are not using secure communication protocols
Deploy SQL DB transparent data encryption
Deploy Threat Detection on SQL servers
Deprecated accounts should be removed from your subscription
Deprecated accounts with owner permissions should be removed from your subscription
Diagnostic logs in App Services should be enabled
Diagnostic logs in Azure Data Lake Store should be enabled
Diagnostic logs in Azure Stream Analytics should be enabled
Diagnostic logs in Batch accounts should be enabled
Diagnostic logs in Data Lake Analytics should be enabled
Diagnostic logs in Event Hub should be enabled
Diagnostic logs in IoT Hub should be enabled
Diagnostic logs in Key Vault should be enabled
Diagnostic logs in Logic Apps should be enabled
Diagnostic logs in Search services should be enabled
Diagnostic logs in Service Bus should be enabled
Diagnostic logs in Virtual Machine Scale Sets should be enabled
Email notification to subscription owner for high severity alerts should be enabled
Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings
Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
Endpoint protection solution should be installed on virtual machine scale sets
Enforce SSL connection should be enabled for MySQL database servers
Enforce SSL connection should be enabled for PostgreSQL database servers
External accounts with owner permissions should be removed from your subscription
External accounts with read permissions should be removed from your subscription
External accounts with write permissions should be removed from your subscription
Function App should only be accessible over HTTPS
Gateway subnets should not be configured with a network security group
Just-In-Time network access control should be applied on virtual machines
Key Vault objects should be recoverable
Metric alert rules should be configured on Batch accounts
MFA should be enabled accounts with write permissions on your subscription
MFA should be enabled on accounts with owner permissions on your subscription
MFA should be enabled on accounts with read permissions on your subscription
Microsoft Antimalware for Azure should be configured to automatically update protection signatures
Microsoft IaaSAntimalware extension should be deployed on Windows servers
Monitor missing Endpoint Protection in Azure Security Center
Network interfaces should disable IP forwarding
Network Security Group Rules for Internet facing virtual machines should be hardened
Network Watcher should be enabled
Only secure connections to your Redis Cache should be enabled
Remote debugging should be turned off for API Apps
Remote debugging should be turned off for Function Apps
Remote debugging should be turned off for Web Applications
Require automatic OS image patching on Virtual Machine Scale Sets
Require encryption on Data Lake Store accounts
Require specified tag on resource groups
Require specified tag
Require SQL Server version 12.0
Require tag and its value on resource groups
Require tag and its value
Secure transfer to storage accounts should be enabled
Security Center standard pricing tier should be selected
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
Service Fabric clusters should only use Azure Active Directory for client authentication
SQL Auditing settings should have Action-Groups configured to capture critical activities
SQL managed instance TDE protector should be encrypted with your own key
SQL server TDE protector should be encrypted with your own key
SQL servers should be configured with auditing retention days greater than 90 days.
Storage accounts should be migrated to new Azure Resource Manager resources
System updates on virtual machine scale sets should be installed
System updates should be installed on your machines
The NSGs rules for web applications on IaaS should be hardened
There should be more than one owner assigned to your subscription
Transparent Data Encryption on SQL databases should be enabled
Virtual machines should be migrated to new Azure Resource Manager resources
Vulnerabilities in container security configurations should be remediated
Vulnerabilities in security configuration on your machines should be remediated
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
Vulnerabilities on your SQL databases should be remediated
Vulnerabilities should be remediated by a Vulnerability Assessment solution
Vulnerability assessment should be enabled on your SQL managed instances
Vulnerability assessment should be enabled on your SQL servers
A maximum of 3 owners should be designated for your subscription;
A security contact email address should be provided for your subscription; 
A security contact phone number should be provided for your subscription;
Adaptive Application Controls should be enabled on virtual machines; 
Advanced data security settings for SQL managed instance should contain an email address to receive security alerts; 
Advanced data security settings for SQL server should contain an email address to receive security alerts; 
Advanced data security should be enabled on your SQL managed instances; 
Allow resource creation if ‘department’ tag set
Allow resource creation if ‘environment’ tag value in allowed values
Allow resource creation only in Asia data centers
Allow resource creation only in European data centers
Allow resource creation only in India data centers
Allow resource creation only in Japan data centers
Allow resource creation only in Japan data centers
Allow resource creation only in United States data centers
Allowed locations for resource groups
Allowed locations
Allowed resource types
Allowed storage account SKUs
Allowed virtual machine SKUs
Audit virtual machines without disaster recovery configured
Audit VMs that do not use managed disks
Audit Windows VMs with a pending reboot
DDoS Protection Standard should be enabled
Disk encryption should be applied on virtual machines
Email notification for high severity alerts should be enabled
Management ports should be closed on your virtual machines
Network interfaces should not have public IPs
Not allowed resource types
Subnets should be associated with a Network Security Group
Unattached disks should be encrypted
Virtual machines should be associated with a Network Security Group
Web Application should only be accessible over HTTPS
Access through Internet facing endpoint should be restricted;

Now list of all policy which is in preview mode :-

 Access to App Services should be restricted
 Audit Dependency Agent Deployment – VM Image (OS) unlisted
 Audit Dependency Agent Deployment in VMSS – VM Image (OS) unlisted
 Audit Linux VMs that allow remote connections from accounts without passwords
 Audit Linux VMs that do not have the passwd file permissions set to 0644
 Audit Linux VMs that have accounts without passwords
 Audit Log Analytics Agent Deployment – VM Image (OS) unlisted
 Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted
 Audit Log Analytics Workspace for VM – Report Mismatch
 Audit Windows VMs on which the DSC configuration is not compliant
 Audit Windows VMs on which the Log Analytics agent is not connected as expected
 Audit Windows VMs on which the remote host connection status does not match the specified one
 Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
 Audit Windows VMs that allow re-use of the previous 24 passwords
 Audit Windows VMs that contain certificates expiring within the specified number of days
 Audit Windows VMs that do not contain the specified certificates in Trusted Root
 Audit Windows VMs that do not have a maximum password age of 70 days
 Audit Windows VMs that do not have a minimum password age of 1 day
 Audit Windows VMs that do not have the password complexity setting enabled
 Audit Windows VMs that do not restrict the minimum password length to 14 characters
 Audit Windows VMs that do not store passwords using reversible encryption
 Audit Windows VMs that have not restarted within the specified number of days
 Authorized IP ranges should be defined on Kubernetes Services
 Deploy Dependency Agent for Linux VM Scale Sets (VMSS)
 Deploy Dependency Agent for Linux VMs
 Deploy Dependency Agent for Windows VM Scale Sets (VMSS)
 Deploy Dependency Agent for Windows VMs
 Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)
 Deploy Log Analytics Agent for Linux VMs
 Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)
 Deploy Log Analytics Agent for Windows VMs
 Deploy requirements to audit Linux VMs that allow remote connections from accounts without passwords
 Deploy requirements to audit Linux VMs that do not have the passwd file permissions set to 0644
 Deploy requirements to audit Linux VMs that have accounts without passwords
 Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates – Control Panel’
 Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates – Network’
 Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates – System’
 Deploy requirements to audit Windows VMs configurations in ‘Adminstrative Templates – MSS (Legacy)’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Accounts’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Audit’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Devices’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Interactive Logon’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Microsoft Network Client’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Microsoft Network Server’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Network Access’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Network Security’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Recovery console’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – Shutdown’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – System objects’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – System settings’
 Deploy requirements to audit Windows VMs configurations in ‘Security Options – User Account Control’
 Deploy requirements to audit Windows VMs configurations in ‘Security Settings – Account Policies’
 Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Account Logon’
 Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Account Management’
 Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Detailed Tracking’
 Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Logon-Logoff’
 Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Object Access’
 Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Policy Change’
 Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Privilege Use’
 Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – System’
 Deploy requirements to audit Windows VMs configurations in ‘User Rights Assignment’
 Deploy requirements to audit Windows VMs configurations in ‘Windows Components’
 Deploy requirements to audit Windows VMs configurations in ‘Windows Firewall Properties’
 Deploy requirements to audit Windows VMs on which the DSC configuration is not compliant
 Deploy requirements to audit Windows VMs on which the Log Analytics agent is not connected as expected
 Deploy requirements to audit Windows VMs on which the remote host connection status does not match the specified one
 Deploy requirements to audit Windows VMs on which Windows Defender Exploit Guard is not enabled
 Deploy requirements to audit Windows VMs that allow re-use of the previous 24 passwords
 Deploy requirements to audit Windows VMs that contain certificates expiring within the specified number of days
 Deploy requirements to audit Windows VMs that do not contain the specified certificates in Trusted Root
 Deploy requirements to audit Windows VMs that do not have a maximum password age of 70 days
 Deploy requirements to audit Windows VMs that do not have a minimum password age of 1 day
 Deploy requirements to audit Windows VMs that do not have the password complexity setting enabled
 Deploy requirements to audit Windows VMs that do not restrict the minimum password length to 14 characters
 Deploy requirements to audit Windows VMs that do not store passwords using reversible encryption
 Deploy requirements to audit Windows VMs that have not restarted within the specified number of days
 IP Forwarding on your virtual machine should be disabled
 Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
 Pod Security Policies should be defined on Kubernetes Services
 Role-Based Access Control (RBAC) should be used on Kubernetes Services
 Sensitive data in your SQL databases should be classified
 Show audit results from Windows VMs configurations in ‘Administrative Templates – Control Panel’
 Show audit results from Windows VMs configurations in ‘Administrative Templates – Network’
 Show audit results from Windows VMs configurations in ‘Administrative Templates – System’
 Show audit results from Windows VMs configurations in ‘Adminstrative Templates – MSS (Legacy)’
 Show audit results from Windows VMs configurations in ‘Security Options – Accounts’
 Show audit results from Windows VMs configurations in ‘Security Options – Audit’
 Show audit results from Windows VMs configurations in ‘Security Options – Devices’
 Show audit results from Windows VMs configurations in ‘Security Options – Interactive Logon’
 Show audit results from Windows VMs configurations in ‘Security Options – Microsoft Network Client’
 Show audit results from Windows VMs configurations in ‘Security Options – Microsoft Network Server’
 Show audit results from Windows VMs configurations in ‘Security Options – Network Access’
 Show audit results from Windows VMs configurations in ‘Security Options – Network Security’
 Show audit results from Windows VMs configurations in ‘Security Options – Recovery console’
 Show audit results from Windows VMs configurations in ‘Security Options – Shutdown’
 Show audit results from Windows VMs configurations in ‘Security Options – System objects’
 Show audit results from Windows VMs configurations in ‘Security Options – System settings’
 Show audit results from Windows VMs configurations in ‘Security Options – User Account Control’
 Show audit results from Windows VMs configurations in ‘Security Settings – Account Policies’
 Show audit results from Windows VMs configurations in ‘System Audit Policies – Account Logon’
 Show audit results from Windows VMs configurations in ‘System Audit Policies – Account Management’
 Show audit results from Windows VMs configurations in ‘System Audit Policies – Detailed Tracking’
 Show audit results from Windows VMs configurations in ‘System Audit Policies – Logon-Logoff’
 Show audit results from Windows VMs configurations in ‘System Audit Policies – Object Access’
 Show audit results from Windows VMs configurations in ‘System Audit Policies – Policy Change’
 Show audit results from Windows VMs configurations in ‘System Audit Policies – Privilege Use’
 Show audit results from Windows VMs configurations in ‘System Audit Policies – System’
 Show audit results from Windows VMs configurations in ‘User Rights Assignment’
 Show audit results from Windows VMs configurations in ‘Windows Components’
 Show audit results from Windows VMs configurations in ‘Windows Firewall Properties’

 

Leave a Reply

Your email address will not be published.