All Azure policy in one place
You may tried to find all azure policy in one place in simple text . But you haven’t found that one and that happened with me as well . So I spend hours to create one . Here is the list of all Azure Policy in one place .
Here is all built-in policy :-
Advanced data security should be enabled on your SQL servers |
Advanced Threat Protection types should be set to ‘All’ in SQL managed instance Advanced Data Security settings |
Advanced Threat Protection types should be set to ‘All’ in SQL server Advanced Data Security settings |
All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace |
All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace |
An Azure Active Directory administrator should be provisioned for SQL servers |
API App should only be accessible over HTTPS |
Append tag and its default value to resource groups |
Append tag and its default value |
Append tag and its value from the resource group |
Audit diagnostic setting |
Audit Linux VMs that do not have the specified applications installed |
Audit Linux VMs that have the specified applications installed |
Audit resource location matches resource group location |
Audit SQL DB Level Audit Setting |
Audit unrestricted network access to storage accounts |
Audit usage of custom RBAC rules |
Audit Windows Server VMs on which Windows Serial Console is not enabled |
Audit Windows VMs in which the Administrators group contains any of the specified members |
Audit Windows VMs in which the Administrators group does not contain all of the specified members |
Audit Windows VMs in which the Administrators group does not contain only the specified members |
Audit Windows VMs on which the specified services are not installed and ‘Running’ |
Audit Windows VMs that are not joined to the specified domain |
Audit Windows VMs that are not set to the specified time zone |
Audit Windows VMs that do not have the specified applications installed |
Audit Windows VMs that do not have the specified Windows PowerShell execution policy |
Audit Windows VMs that do not have the specified Windows PowerShell modules installed |
Audit Windows VMs that have the specified applications installed |
Audit Windows web servers that are not using secure communication protocols |
Auditing should be enabled on advanced data security settings on SQL Server |
Authorization rules on the Event Hub instance should be defined |
Automatic provisioning of security monitoring agent |
Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription |
Automation account variables should be encrypted |
CORS should not allow every resource to access your API App |
CORS should not allow every resource to access your Function Apps |
CORS should not allow every resource to access your Web Applications |
Deploy Advanced Data Security on SQL servers |
Deploy Advanced Threat Protection for Cosmos DB Accounts |
Deploy Advanced Threat Protection on Storage Accounts |
Deploy Auditing on SQL servers |
Deploy default Log Analytics Agent for Ubuntu VMs |
Deploy default Microsoft IaaSAntimalware extension for Windows Server |
Deploy Diagnostic Settings for Azure SQL Database to Event Hub |
Deploy Diagnostic Settings for Key Vault to Event Hub |
Deploy Diagnostic Settings for Network Security Groups |
Deploy network watcher when virtual networks are created |
Deploy requirements to audit Linux VMs that do not have the specified applications installed |
Deploy requirements to audit Linux VMs that have the specified applications installed |
Deploy requirements to audit Windows Server VMs on which Windows Serial Console is not enabled |
Deploy requirements to audit Windows VMs in which the Administrators group contains any of the specified members |
Deploy requirements to audit Windows VMs in which the Administrators group does not contain all of the specified members |
Deploy requirements to audit Windows VMs in which the Administrators group does not contain only the specified members |
Deploy requirements to audit Windows VMs on which the specified services are not installed and ‘Running’ |
Deploy requirements to audit Windows VMs that are not joined to the specified domain |
Deploy requirements to audit Windows VMs that are not set to the specified time zone |
Deploy requirements to audit Windows VMs that do not have the specified applications installed |
Deploy requirements to audit Windows VMs that do not have the specified Windows PowerShell execution policy |
Deploy requirements to audit Windows VMs that do not have the specified Windows PowerShell modules installed |
Deploy requirements to audit Windows VMs that have the specified applications installed |
Deploy requirements to audit Windows VMs with a pending reboot |
Deploy requirements to audit Windows web servers that are not using secure communication protocols |
Deploy SQL DB transparent data encryption |
Deploy Threat Detection on SQL servers |
Deprecated accounts should be removed from your subscription |
Deprecated accounts with owner permissions should be removed from your subscription |
Diagnostic logs in App Services should be enabled |
Diagnostic logs in Azure Data Lake Store should be enabled |
Diagnostic logs in Azure Stream Analytics should be enabled |
Diagnostic logs in Batch accounts should be enabled |
Diagnostic logs in Data Lake Analytics should be enabled |
Diagnostic logs in Event Hub should be enabled |
Diagnostic logs in IoT Hub should be enabled |
Diagnostic logs in Key Vault should be enabled |
Diagnostic logs in Logic Apps should be enabled |
Diagnostic logs in Search services should be enabled |
Diagnostic logs in Service Bus should be enabled |
Diagnostic logs in Virtual Machine Scale Sets should be enabled |
Email notification to subscription owner for high severity alerts should be enabled |
Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings |
Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings |
Endpoint protection solution should be installed on virtual machine scale sets |
Enforce SSL connection should be enabled for MySQL database servers |
Enforce SSL connection should be enabled for PostgreSQL database servers |
External accounts with owner permissions should be removed from your subscription |
External accounts with read permissions should be removed from your subscription |
External accounts with write permissions should be removed from your subscription |
Function App should only be accessible over HTTPS |
Gateway subnets should not be configured with a network security group |
Just-In-Time network access control should be applied on virtual machines |
Key Vault objects should be recoverable |
Metric alert rules should be configured on Batch accounts |
MFA should be enabled accounts with write permissions on your subscription |
MFA should be enabled on accounts with owner permissions on your subscription |
MFA should be enabled on accounts with read permissions on your subscription |
Microsoft Antimalware for Azure should be configured to automatically update protection signatures |
Microsoft IaaSAntimalware extension should be deployed on Windows servers |
Monitor missing Endpoint Protection in Azure Security Center |
Network interfaces should disable IP forwarding |
Network Security Group Rules for Internet facing virtual machines should be hardened |
Network Watcher should be enabled |
Only secure connections to your Redis Cache should be enabled |
Remote debugging should be turned off for API Apps |
Remote debugging should be turned off for Function Apps |
Remote debugging should be turned off for Web Applications |
Require automatic OS image patching on Virtual Machine Scale Sets |
Require encryption on Data Lake Store accounts |
Require specified tag on resource groups |
Require specified tag |
Require SQL Server version 12.0 |
Require tag and its value on resource groups |
Require tag and its value |
Secure transfer to storage accounts should be enabled |
Security Center standard pricing tier should be selected |
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign |
Service Fabric clusters should only use Azure Active Directory for client authentication |
SQL Auditing settings should have Action-Groups configured to capture critical activities |
SQL managed instance TDE protector should be encrypted with your own key |
SQL server TDE protector should be encrypted with your own key |
SQL servers should be configured with auditing retention days greater than 90 days. |
Storage accounts should be migrated to new Azure Resource Manager resources |
System updates on virtual machine scale sets should be installed |
System updates should be installed on your machines |
The NSGs rules for web applications on IaaS should be hardened |
There should be more than one owner assigned to your subscription |
Transparent Data Encryption on SQL databases should be enabled |
Virtual machines should be migrated to new Azure Resource Manager resources |
Vulnerabilities in container security configurations should be remediated |
Vulnerabilities in security configuration on your machines should be remediated |
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated |
Vulnerabilities on your SQL databases should be remediated |
Vulnerabilities should be remediated by a Vulnerability Assessment solution |
Vulnerability assessment should be enabled on your SQL managed instances |
Vulnerability assessment should be enabled on your SQL servers |
A maximum of 3 owners should be designated for your subscription; |
A security contact email address should be provided for your subscription; |
A security contact phone number should be provided for your subscription; |
Adaptive Application Controls should be enabled on virtual machines; |
Advanced data security settings for SQL managed instance should contain an email address to receive security alerts; |
Advanced data security settings for SQL server should contain an email address to receive security alerts; |
Advanced data security should be enabled on your SQL managed instances; |
Allow resource creation if ‘department’ tag set |
Allow resource creation if ‘environment’ tag value in allowed values |
Allow resource creation only in Asia data centers |
Allow resource creation only in European data centers |
Allow resource creation only in India data centers |
Allow resource creation only in Japan data centers |
Allow resource creation only in Japan data centers |
Allow resource creation only in United States data centers |
Allowed locations for resource groups |
Allowed locations |
Allowed resource types |
Allowed storage account SKUs |
Allowed virtual machine SKUs |
Audit virtual machines without disaster recovery configured |
Audit VMs that do not use managed disks |
Audit Windows VMs with a pending reboot |
DDoS Protection Standard should be enabled |
Disk encryption should be applied on virtual machines |
Email notification for high severity alerts should be enabled |
Management ports should be closed on your virtual machines |
Network interfaces should not have public IPs |
Not allowed resource types |
Subnets should be associated with a Network Security Group |
Unattached disks should be encrypted |
Virtual machines should be associated with a Network Security Group |
Web Application should only be accessible over HTTPS |
Access through Internet facing endpoint should be restricted; |
Now list of all policy which is in preview mode :-
Access to App Services should be restricted |
Audit Dependency Agent Deployment – VM Image (OS) unlisted |
Audit Dependency Agent Deployment in VMSS – VM Image (OS) unlisted |
Audit Linux VMs that allow remote connections from accounts without passwords |
Audit Linux VMs that do not have the passwd file permissions set to 0644 |
Audit Linux VMs that have accounts without passwords |
Audit Log Analytics Agent Deployment – VM Image (OS) unlisted |
Audit Log Analytics Agent Deployment in VMSS – VM Image (OS) unlisted |
Audit Log Analytics Workspace for VM – Report Mismatch |
Audit Windows VMs on which the DSC configuration is not compliant |
Audit Windows VMs on which the Log Analytics agent is not connected as expected |
Audit Windows VMs on which the remote host connection status does not match the specified one |
Audit Windows VMs on which Windows Defender Exploit Guard is not enabled |
Audit Windows VMs that allow re-use of the previous 24 passwords |
Audit Windows VMs that contain certificates expiring within the specified number of days |
Audit Windows VMs that do not contain the specified certificates in Trusted Root |
Audit Windows VMs that do not have a maximum password age of 70 days |
Audit Windows VMs that do not have a minimum password age of 1 day |
Audit Windows VMs that do not have the password complexity setting enabled |
Audit Windows VMs that do not restrict the minimum password length to 14 characters |
Audit Windows VMs that do not store passwords using reversible encryption |
Audit Windows VMs that have not restarted within the specified number of days |
Authorized IP ranges should be defined on Kubernetes Services |
Deploy Dependency Agent for Linux VM Scale Sets (VMSS) |
Deploy Dependency Agent for Linux VMs |
Deploy Dependency Agent for Windows VM Scale Sets (VMSS) |
Deploy Dependency Agent for Windows VMs |
Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS) |
Deploy Log Analytics Agent for Linux VMs |
Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS) |
Deploy Log Analytics Agent for Windows VMs |
Deploy requirements to audit Linux VMs that allow remote connections from accounts without passwords |
Deploy requirements to audit Linux VMs that do not have the passwd file permissions set to 0644 |
Deploy requirements to audit Linux VMs that have accounts without passwords |
Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates – Control Panel’ |
Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates – Network’ |
Deploy requirements to audit Windows VMs configurations in ‘Administrative Templates – System’ |
Deploy requirements to audit Windows VMs configurations in ‘Adminstrative Templates – MSS (Legacy)’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Accounts’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Audit’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Devices’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Interactive Logon’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Microsoft Network Client’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Microsoft Network Server’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Network Access’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Network Security’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Recovery console’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – Shutdown’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – System objects’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – System settings’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Options – User Account Control’ |
Deploy requirements to audit Windows VMs configurations in ‘Security Settings – Account Policies’ |
Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Account Logon’ |
Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Account Management’ |
Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Detailed Tracking’ |
Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Logon-Logoff’ |
Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Object Access’ |
Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Policy Change’ |
Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – Privilege Use’ |
Deploy requirements to audit Windows VMs configurations in ‘System Audit Policies – System’ |
Deploy requirements to audit Windows VMs configurations in ‘User Rights Assignment’ |
Deploy requirements to audit Windows VMs configurations in ‘Windows Components’ |
Deploy requirements to audit Windows VMs configurations in ‘Windows Firewall Properties’ |
Deploy requirements to audit Windows VMs on which the DSC configuration is not compliant |
Deploy requirements to audit Windows VMs on which the Log Analytics agent is not connected as expected |
Deploy requirements to audit Windows VMs on which the remote host connection status does not match the specified one |
Deploy requirements to audit Windows VMs on which Windows Defender Exploit Guard is not enabled |
Deploy requirements to audit Windows VMs that allow re-use of the previous 24 passwords |
Deploy requirements to audit Windows VMs that contain certificates expiring within the specified number of days |
Deploy requirements to audit Windows VMs that do not contain the specified certificates in Trusted Root |
Deploy requirements to audit Windows VMs that do not have a maximum password age of 70 days |
Deploy requirements to audit Windows VMs that do not have a minimum password age of 1 day |
Deploy requirements to audit Windows VMs that do not have the password complexity setting enabled |
Deploy requirements to audit Windows VMs that do not restrict the minimum password length to 14 characters |
Deploy requirements to audit Windows VMs that do not store passwords using reversible encryption |
Deploy requirements to audit Windows VMs that have not restarted within the specified number of days |
IP Forwarding on your virtual machine should be disabled |
Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version |
Pod Security Policies should be defined on Kubernetes Services |
Role-Based Access Control (RBAC) should be used on Kubernetes Services |
Sensitive data in your SQL databases should be classified |
Show audit results from Windows VMs configurations in ‘Administrative Templates – Control Panel’ |
Show audit results from Windows VMs configurations in ‘Administrative Templates – Network’ |
Show audit results from Windows VMs configurations in ‘Administrative Templates – System’ |
Show audit results from Windows VMs configurations in ‘Adminstrative Templates – MSS (Legacy)’ |
Show audit results from Windows VMs configurations in ‘Security Options – Accounts’ |
Show audit results from Windows VMs configurations in ‘Security Options – Audit’ |
Show audit results from Windows VMs configurations in ‘Security Options – Devices’ |
Show audit results from Windows VMs configurations in ‘Security Options – Interactive Logon’ |
Show audit results from Windows VMs configurations in ‘Security Options – Microsoft Network Client’ |
Show audit results from Windows VMs configurations in ‘Security Options – Microsoft Network Server’ |
Show audit results from Windows VMs configurations in ‘Security Options – Network Access’ |
Show audit results from Windows VMs configurations in ‘Security Options – Network Security’ |
Show audit results from Windows VMs configurations in ‘Security Options – Recovery console’ |
Show audit results from Windows VMs configurations in ‘Security Options – Shutdown’ |
Show audit results from Windows VMs configurations in ‘Security Options – System objects’ |
Show audit results from Windows VMs configurations in ‘Security Options – System settings’ |
Show audit results from Windows VMs configurations in ‘Security Options – User Account Control’ |
Show audit results from Windows VMs configurations in ‘Security Settings – Account Policies’ |
Show audit results from Windows VMs configurations in ‘System Audit Policies – Account Logon’ |
Show audit results from Windows VMs configurations in ‘System Audit Policies – Account Management’ |
Show audit results from Windows VMs configurations in ‘System Audit Policies – Detailed Tracking’ |
Show audit results from Windows VMs configurations in ‘System Audit Policies – Logon-Logoff’ |
Show audit results from Windows VMs configurations in ‘System Audit Policies – Object Access’ |
Show audit results from Windows VMs configurations in ‘System Audit Policies – Policy Change’ |
Show audit results from Windows VMs configurations in ‘System Audit Policies – Privilege Use’ |
Show audit results from Windows VMs configurations in ‘System Audit Policies – System’ |
Show audit results from Windows VMs configurations in ‘User Rights Assignment’ |
Show audit results from Windows VMs configurations in ‘Windows Components’ |
Show audit results from Windows VMs configurations in ‘Windows Firewall Properties’ |