Best practice rules for Microsoft Azure

Ensure that public network access to OpenAI service instances is disabled.

Ensure that Diagnostic Logs are enabled for your Azure OpenAI service instances.

Use Customer Managed Keys (CMKs) to encrypt Azure OpenAI service instances.

Ensure that Azure OpenAI service instances don't have administrative privileges.

Ensure that your Azure AI services API access keys are regularly rotated.

Ensure that Azure OpenAI service instances are using managed identities.

Ensure that network access to OpenAI service instances is allowed via private endpoints only.

Ensure that the latest version of the CNI plugin is used for your AKS clusters.

Ensure that AKS clusters are using the latest available version of Kubernetes software.

Use Customer-Managed Keys (CMKs) to encrypt Azure Kubernetes Service (AKS) cluster disks.

Ensure that access to AKS cluster configuration file is controlled using Azure RBAC.

Ensure that your private AKS clusters are not configured with a public FQDN.

Ensure that Azure Role-Based Access Control is enabled for Azure AKS clusters.

Ensure that Azure Backup service is configured to back up AKS clusters.

Ensure that Microsoft Defender for Cloud is enabled for AKS clusters.

Enable Federal Information Process Standard (FIPS) for AKS cluster node pools to ensure compliance.

Enable Image Cleaner to clean up vulnerable stale images on your AKS clusters.

Enable Image Integrity to ensure that your AKS clusters deploy only trusted images.

Enable image vulnerability scanning for Azure Kubernetes Service (AKS) clusters.

Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters.

Ensure that AKS clusters are using network policies for proper segmentation and security.

Enable Trusted Access to secure access for Azure cloud resources in Azure Kubernetes Service (AKS) clusters.

Enable and configure node OS auto-upgrades for Azure Kubernetes Service (AKS) clusters.

Ensure that AKS clusters are using the latest version of Kubernetes API.

Ensure that your Azure Kubernetes Service (AKS) clusters are created with private nodes.

Ensure that your Azure Kubernetes Service (AKS) clusters are private.

Ensure that your Azure Kubernetes Service (AKS) cluster credentials are regularly rotated.

Ensure that public access to Kubernetes API server is restricted.

Ensure that Azure Container Networking Interface (CNI) add-on is used for managing network resources.

Ensure that Azure CNI networking mode is configured for Azure Kubernetes clusters.

Ensure that Microsoft Entra ID integration with Kubernetes RBAC is enabled for Azure AKS clusters.

Ensure that AKS clusters are configured to use the Network Contributor role.

Ensure that Azure Kubernetes clusters are using a private Key Vault for secret data encryption.

Ensure that AKS clusters are using system-assigned managed identities.

Ensure that AKS clusters are using user-assigned managed identities.

Ensure that user sign-in with Microsoft Entra ID is enabled for Azure API Management Developer Portal.

Ensure that Azure API Management API gateways do not use weak cipher suites.

Ensure that Azure API Management API gateways do not use deprecated TLS protocols.

Ensure that Azure API Management services with private endpoints are not publicly exposed.

Ensure that Azure API Management APIs are configured to enforce built-in response caching.

Ensure that Azure API Management APIs are using Application Insights.

Ensure that resource logs are enabled for Azure API Management API services.

Ensure that HTTP/2 support is enabled within Microsoft Azure API Management.

Ensure that Azure API Management APIs are configured to enforce HTTPS for API calls.

Ensure that named values are encrypted to prevent the exposure of secrets in Azure API Management.

Ensure that Azure API Management services are configured to use client certificates.

Ensure that no Azure API Management API allows unrestricted access.

Ensure that Azure API Management services are using system-assigned managed identities.

Ensure that Azure API Management services are using user-assigned managed identities.

Ensure there are no custom owner roles within your Microsoft Azure cloud account.

Ensure that a resource locking administrator role is available for each Azure subscription.

Ensure there are no custom subscription administrator roles within your Microsoft Azure cloud account.

Ensure there are no Microsoft Entra ID guest users if they aren't needed.

Ensure that non-admin users are not allowed to create Microsoft Entra ID tenants.

Ensure that "All Users" group is enabled for centralized access management within your Microsoft Entra ID account.

Ensure that Security Defaults is enabled for Microsoft Entra ID.

Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored).

Ensure that 'Guests can invite' is set to 'No' (Not Scored).

Ensure that invitations are restricted to users with specific administrative roles only.

Ensure that 'Members can invite' is set to 'No' (Not Scored).

Ensure that multi-factor authentication is enabled for all non-privileged users (Not Scored).

Ensure that multi-factor authentication is enabled for all privileged users (Not Scored).

Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)

Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored).

Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored).

Ensure that 'Number of days before users are asked to re-confirm their authentication information' isn't set to '0' (Not Scored).

Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored).

Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored).

Ensure that 'Restrict access to Microsoft Entra ID administration portal' is set to 'Yes' (Not Scored).

Ensure that guest user permissions are limited to a secure, compliant level.

Ensure that the 'Restrict user ability to access groups features in the Access Panel' setting is set to 'Yes' (Not Scored).

Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)

Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored).

Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored).

Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored).

Ensure that 'Users can create security groups' is set to 'No' (Not Scored).

Ensure that 'Users can register applications' is set to 'No' (Not Scored).

Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored).

Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored).

Ensure that an activity log alert is created for the "Create Policy Assignment" events.

Ensure that an activity log alert is created for "Create or Update Load Balancer" events.

Ensure that activity log alerts are created for the "Create or Update Public IP Address" events.

Ensure that an activity log alert is created for the "Create/Update Security Solution" events.

Ensure that an activity log alert is created for "Create or Update Virtual Machine (Microsoft.Compute/virtualMachines)" events.

Ensure that an activity log alert is created for the “Create/Update/Delete SQL Server Firewall Rule” events.

Ensure that an activity log alert is created for "Create/Update Azure SQL Database" events.

Ensure that an activity log alert is created for "Create/Update MySQL Database" events.

Ensure that an activity log alert is created for the "Create/Update Network Security Group Rule" events.

Ensure that an activity log alert is created for the "Create/Update Network Security Group" events.

Ensure that an activity log alert is created for "Create/Update PostgreSQL Database" events.

Ensure there is an activity log alert created for the "Create/Update Storage Account" events.

Ensure that an activity log alert is created for the "Deallocate Virtual Machine (Microsoft.Compute/virtualMachines)" events.

Ensure that an activity log alert is created for "Delete Azure SQL Database (Microsoft.Sql/servers/databases)" events.

Ensure there is an activity log alert created for the "Delete Key Vault" events.

Ensure there is an Azure activity log alert created for "Delete Load Balancer" events.

Ensure that an activity log alert is created for "Delete MySQL Database" events.

Ensure that an activity log alert is created for the "Delete Network Security Group Rule" events.

Ensure that an activity log alert is created for the "Delete Network Security Group" events.

Ensure that an activity log alert is created for the "Delete Policy Assignment" events.

Ensure that an activity log alert is created for "Delete PostgreSQL Database" events.

Ensure that activity log alerts are created for the "Delete Public IP Address" events.

Ensure that an activity log alert is created for the "Delete Security Solution" events.

Ensure that an activity log alert exists for "Delete Storage Account" events.

Ensure that an activity log alert exists for "Delete Virtual Machine" events.

Ensure that an activity log alert exists for "Power Off Virtual Machine" events.

Ensure that an activity log alert is created for "Rename Azure SQL Database" events.

Ensure that an activity log alert is created for "Update Key Vault (Microsoft.KeyVault/vaults)" events.

Ensure that an activity log alert is created for the "Update Security Policy" events.

Ensure that an activity log alert rule is created for Service Health events.

Ensure that Microsoft Azure Advisor recommendations are analyzed and implemented.

Enable HTTP to HTTPS redirects for your Microsoft Azure App Service web applications.

Ensure that Azure App Service web applications are using the latest stable version of Java.

Ensure that Azure App Service web applications are using the latest version of PHP.

Ensure that Azure App Service web applications are using the latest version of Python.

Ensure there is a sufficient backup retention period configured for Azure App Services applications.

Ensure that Azure App Service web applications are using the latest version of TLS encryption.

Ensure that Azure App Service web applications are using the latest version of HTTP.

Ensure that your Azure App Service web applications requests a client certificate from incoming requests.

Ensure that FTP access is disabled for your Azure App Services web applications.

Disable Remote Debugging feature for your Microsoft Azure App Services web applications.

Ensure that your Azure App Services web applications stay loaded all the time by enabling the Always On feature.

Ensure that App Service Authentication is enabled within your Microsoft Azure cloud account.

Ensure that Azure App Services applications are configured to use Application Insights feature.

Ensure that all your Azure App Services applications are using the Backup and Restore feature.

Enable FTPS-only access for your Microsoft Azure App Services web applications.

Enable HTTP to HTTPS redirects for your Microsoft Azure App Service web applications.

Ensure that your Azure App Service web applications are using health checks.

Ensure that registration with Microsoft Entra ID is enabled for Azure App Service applications.

Ensure that Azure Key Vaults are used to store App Service application secrets.

Ensure that Microsoft Azure Container Apps are not configured to allow insecure connections.

Ensure that public network access to Azure Container Apps is disabled.

Enable authentication and authorization with Microsoft Entra ID.

Ensure that Diagnostic Logs are enabled for Azure Container Apps environments.

Ensure that HTTP/2 support is enabled for Microsoft Azure Container Apps.

Ensure that peer-to-peer TLS encryption is enabled for Azure Container Apps environments.

Enable and configure Azure Container Apps resiliency using resiliency policies.

Ensure that Azure Key Vaults are used to store Azure Container App secrets.

Ensure that your Microsoft Azure Container Apps are using managed identities.

Ensure that Azure Container App custom domains are using TLS/SSL certificates.

Ensure that IP network rules are configured for your Azure container registries.

Use Customer-Managed Keys (CMKs) to encrypt your Azure Container Registry (ACR) data.

Ensure that ARM audience token authentication is disabled for Azure container registries.

Ensure that public network access to Azure container registries is disabled.

Ensure that Diagnostic Logs are enabled for your Azure container registries.

Ensure that Soft Delete is enabled for your Microsoft Azure container registries.

Allow trusted Microsoft services to access your network-restricted container registries.

Ensure that your Microsoft Azure container registries are using managed identities.

Ensure that network access to Azure container registries is allowed via private endpoints only.

Use Customer-Managed Keys (CMKs) to encrypt Azure Cosmos DB accounts.

Ensure that "Minimum Transport Layer Security Protocol" is set to "TLS 1.2" for Azure Cosmos DB accounts.

Ensure that Azure Cosmos DB for MongoDB accounts are using the latest version of MongoDB database.

Ensure that Azure Cosmos DB accounts are secured with virtual networks (VNets).

Ensure that Azure Cosmos DB accounts have at least one IP firewall rule defined to allow trusted access.

Avoid using local authentication methods such as access keys for authentication to Cosmos DB accounts.

Ensure that Advanced Threat Protection is enabled for all Microsoft Azure Cosmos DB accounts.

Enable automatic failover for Microsoft Azure Cosmos DB accounts.

Ensure that cross-region replication is enabled for your Azure Cosmos DB for MongoDB clusters.

Ensure that Diagnostic Logs are enabled for Azure Cosmos DB accounts.

Ensure that geo-redundancy is enabled for Microsoft Azure Cosmos DB accounts.

Ensure that Azure Cosmos DB for MongoDB accounts are using the latest version of MongoDB database.

Ensure that Microsoft Defender for Azure Cosmos DB is enabled at the resource level.

Ensure that the access keys for your Azure Cosmos DB accounts are regularly rotated.

Ensure that default network access (i.e. public access) is denied within your Azure Cosmos DB account configuration.

Ensure that Azure Cosmos DB accounts are using managed identities.

Ensure that network access to Azure Cosmos DB accounts is allowed via private endpoints only.

Ensure that resource locks are enabled for your production Azure Cosmos DB accounts.

Ensure that Role-Based Access Control (RBAC) is configured for Azure CosmosDB data plane access.

Use Customer-Managed Keys (CMKs) to encrypt your Azure Databricks workspace data.

Ensure that Virtual Network (VNet) injection is enabled to your Azure Databricks workspaces.

Enable Web Application Firewall (WAF) policies for Azure Front Door profiles.

Ensure that the "Minimum TLS version" setting is set to "TLS 1.2" for all Azure Front Door custom domains.

Ensure that Azure Front Door profiles are using system-assigned managed identities.

Ensure that your Microsoft Azure functions are using access keys.

Ensure that your Azure functions are using the latest runtime version of the function host.

Ensure that your Azure functions are not configured with admin privileges.

Ensure that administrative endpoints are disabled for Microsoft Azure Function Apps.

Disable Remote Debugging for Microsoft Azure Function Apps to reduce the risk of exposure to sensitive data or potential attacks.

Ensure that Microsoft Azure functions are configured to use Application Insights feature.

Ensure that Virtual Network integration is enabled for your Azure Function Apps.

Ensure that your Microsoft Azure functions are not publicly accessible.

Ensure that the "Minimum Inbound TLS Version" setting is set to 1.2 or higher for all Azure Function Apps.

Ensure that Azure Key Vaults are used to store Azure Function App secrets.

Ensure that your Microsoft Azure Function Apps are using managed identities.

Ensure that your Microsoft Azure Function Apps are using Network Security Groups (NSGs).

Ensure that network access to Azure Function Apps is allowed via private endpoints only.

Ensure that Azure functions are using system-assigned managed identities.

Ensure that Azure functions are using user-assigned managed identities.

Ensure that a Customer-Managed Key is created for your Azure cloud application tier.

Ensure that Azure key vaults don't allow unknown cross-subscription access.

Ensure that Azure Key Vault certificates are using the appropriate key type(s).

Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date.

Ensure that your Azure Key Vault secrets are renewed prior to their expiration date.

Ensure that Azure Key Vault RSA certificates are using the appropriate key size.

Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults.

Ensure there is a sufficient period configured for the SSL certificates auto-renewal.

Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud database tier.

Ensure that logging for Azure KeyVault is 'Enabled'

Ensure that Automatic Key Rotation is enabled for Azure Key Vaults.

Ensure that certificate transparency is enabled for all your Azure Key Vault certificates.

Ensure that your Microsoft Azure Key Vault instances are recoverable.

Ensure that RBAC authorization is enabled for Azure Key Vaults.

Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates.

Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. encryption keys, secrets and certificates).

Ensure that default network access (i.e. public access) rule is set to "Deny" within your Azure Key Vaults configuration.

Ensure that an expiration date is set for all your Microsoft Azure secret keys.

Ensure that an expiration date is configured for all your Microsoft Azure encryption keys.

Ensure that network access to Azure Key Vaults is allowed via private endpoints only.

Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier.

Ensure that resource locks are enabled for your high-impact Microsoft Azure resources.

Ensure that Diagnostic Logs are enabled for your Azure Machine Learning workspaces.

Enable High Business Impact feature for your Azure Machine Learning workspaces.

Ensure that managed VNet isolation with Internet outbound access is enabled for your Azure Machine Learning workspaces.

Ensure that network isolation is enabled for your Azure Machine Learning registries.

Use Customer Managed Keys (CMKs) to encrypt Azure Machine Learning workspaces.

Ensure that Azure Machine Learning workspaces are using system-assigned managed identities.

Ensure audit profile captures all the activities.

Ensure that Azure Log Profile is configured to capture activity logs for all regions.

Ensure that Azure activity log retention period is set for 365 days or greater.

Use Customer-Managed Keys (CMKs) for Azure activity log storage container encryption.

Ensure that a Log Profile exists for each subscription available in your Azure account.

Ensure that the Azure storage container storing the activity logs isn't publicly accessible

Ensure that an Application Insights resource is created within your Azure cloud account.

Ensure that the diagnostic settings are configured to capture the appropriate categories.

Ensure that Diagnostic Logs are enabled for the supported Azure cloud resources.

Ensure that exporting activity logs is enabled for each cloud resource within a subscription.

Ensure that Azure Monitor Activity Logs for subscriptions are exported via diagnostic settings.

Ensure that the "audit_log_events" configuration parameter includes "CONNECTION".

Ensure that the 'tls_version' parameter is set to a minimum of 'TLSV1.2' for all MySQL flexible database servers.

Ensure that "audit_log_enabled" configuration parameter is enabled for Azure MySQL flexible servers.

Ensure that in-transit encryption is enabled for your Azure MySQL database servers.

Ensure that "require_secure_transport" parameter is enabled for Azure MySQL flexible servers.

Ensure that the Azure Bastion service is used within your Microsoft Azure cloud account.

Ensure that Network Security Group (NSG) flow log retention period is greater than or equal to 90 days.

Ensure there are no network security groups with range of ports opened to allow incoming traffic.

Ensure that no network security groups allow unrestricted inbound access on TCP port 445 (Common Internet File System – CIFS).

Ensure that no network security groups allow unrestricted inbound access on TCP and UDP port 53.

Ensure that no network security groups allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).

Ensure that no network security groups allow unrestricted inbound access on TCP port 80.

Ensure that no network security groups allow unrestricted inbound access on TCP port 443.

Ensure that no network security groups allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

Ensure that no network security groups allow unrestricted inbound access via TCP or UDP on selected ports.

Ensure that no network security groups allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).

Ensure that no network security groups allow unrestricted inbound access on TCP port 1433.

Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019.

Ensure that no network security groups allow unrestricted ingress access on TCP port 3306 (MySQL Database).

Ensure that no network security groups allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS).

Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database).

Ensure that no network security groups allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).

Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol – RDP).

Ensure that no network security groups allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).

Ensure that no network security groups allow unrestricted inbound access on TCP port 25.

Ensure that no network security groups allow unrestricted inbound access on TCP port 22 (SSH).

Ensure that no network security groups allow unrestricted inbound access on TCP port 23.

Ensure that no network security groups allow unrestricted inbound access on UDP ports.

Ensure that Virtual Network flow log retention period is greater than or equal to 90 days.

Ensure that Network Watcher is enabled within your Microsoft Azure account subscription.

Ensure that DDoS standard protection is enabled for production Azure virtual networks.

Network security group changes have been detected in your Microsoft Azure cloud account.

Ensure that the Azure network interfaces with IP forwarding enabled are regularly reviewed.

Policy assignment changes have been detected in your Microsoft Azure cloud account.

Ensure there is a sufficient log retention period configured for your Azure PostgreSQL flexible servers.

Ensure that PostgreSQL database servers have a sufficient log retention period configured.

Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database.

Ensure that any access from Azure services to Azure PostgreSQL database servers is disabled.

Ensure that any access from Azure services to your Azure PostgreSQL flexible servers is disabled.

Ensure that "connection_throttling" parameter is set to "ON" within your Azure PostgreSQL server settings.

Enable "log_checkpoints" parameter for your Microsoft Azure PostgreSQL database servers.

Enable "log_connections" parameter for your Microsoft Azure PostgreSQL database servers.

Enable "log_disconnections" parameter for your Microsoft Azure PostgreSQL database servers.

Enable "log_duration" parameter on your Microsoft Azure PostgreSQL database servers.

Enable "log_checkpoints" parameter for your Microsoft Azure PostgreSQL flexible database servers.

Ensure that "connection_throttle.enable" parameter is set to "ON" for Azure PostgreSQL flexible servers.

Ensure that geo-redundant backups are enabled for your Azure PostgreSQL database servers.

Ensure that in-transit encryption is enabled for your Azure PostgreSQL database servers.

Ensure that infrastructure double encryption is enabled for Single Server Azure PostgreSQL database servers.

Ensure that storage auto-growth is enabled for your Microsoft Azure PostgreSQL database servers.

Ensure that "require_secure_transport" parameter is enabled for Azure PostgreSQL flexible servers.

Ensure that an Microsoft Entra admin is configured for PostgreSQL authentication.

Ensure that email notifications are enabled for virtual machine (VM) backup alerts.

Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol.

Ensure that Azure Cache for Redis servers are injected to an Azure virtual network (VNet).

Ensure that IP firewall rules are configured for your Azure Cache for Redis instances.

Ensure there is a preferred maintenance window configured for your Azure Cache for Redis servers.

Ensure that production Azure Cache for Redis servers are using the "Stable" update channel.

Avoid using local authentication methods such as access keys for authentication to Redis cache.

Ensure that all your Enterprise Redis cache clusters are TLS-enabled cache clusters.

Ensure that public network access to Azure Cache for Redis servers is disabled.

Ensure that data persistence is enabled for your Azure Cache for Redis servers.

Ensure that Diagnostic Logs are enabled for Azure Cache for Redis servers.

Ensure that geo-replication is enabled for your Azure Cache for Redis servers.

Ensure that in-transit encryption is enabled for all Microsoft Azure Redis Cache servers.

Ensure that keyspace notifications are enabled for your Azure Cache for Redis servers.

Ensure that zone redundancy is enabled for Azure Cache for Redis servers.

Use Customer-Managed Keys (CMKs) to encrypt your Enterprise Redis cache cluster data.

Ensure that Azure Cache for Redis servers are using managed identities.

Ensure that your Azure Cache for Redis servers are using Network Security Groups (NSGs).

Ensure that resource locks are enabled for your production Azure Cache for Redis servers.

Ensure there is a tagging strategy in use for identifying and organizing Azure resources by name, purpose, environment, and other criteria.

Ensure that Azure Search Service instances are configured to use system-assigned managed identities.

Ensure that the latest OS patches available for Microsoft Azure virtual machines (VMs) are applied.

Ensure that additional email addresses are provided to receive security notifications.

Security solution changes have been detected within your Microsoft Azure cloud account.

Azure security policy changes have been detected within your Microsoft Azure cloud account.

Ensure that Email Notification for Alerts is set to On.

Ensure that Send email also to subscription owners is set to On.

Enable agentless vulnerability assessment for container images.

Enable agentless API-based discovery of Kubernetes resources.

Ensure that all the parameters supported by Microsoft Defender for Cloud default policy are enabled.

Ensure that email notifications for attack paths are enabled.

Ensure that automatic provisioning of security components is enabled for Azure containers.

Ensure that automatic provisioning of vulnerability assessment solutions is enabled for virtual machines.

Ensure that "Automatic provisioning of monitoring agent" feature is enabled to enhance security at the virtual machine (VM) level.

Ensure that monitoring of DDoS protection at the Azure virtual network level is enabled.

Enable auto-provisioning extensions for Microsoft Defender for Cloud in your Azure subscriptions.

Ensure that Defender for APIs is enabled for Azure API Management services.

Ensure that Defender for Endpoint – Defender for Cloud integration is enabled.

Ensure that Email Notification for Alerts is set to On.

Ensure that Microsoft Defender for Cloud standard pricing tier is enabled in your Azure account.

Ensure that Microsoft Defender for Cloud Apps integration is enabled.

Ensure that Microsoft Defender for Cloud is enabled for Azure App Service instances.

Ensure that Microsoft Defender for Cloud is enabled for Azure containers.

Ensure that Microsoft Defender for Cloud is enabled for resources that use Azure DNS.

Ensure that Microsoft Defender for Cloud is enabled for Azure Resource Manager.

Ensure that Microsoft Defender for Cloud is enabled for SQL database servers.

Ensure that Microsoft Defender for Cloud is enabled for Azure key vault resources.

Ensure that Microsoft Defender for Cloud is enabled for open-source relational databases.

Ensure that Microsoft Defender for Cloud is enabled for SQL Server virtual machines.

Ensure that Microsoft Defender for Cloud is enabled for Azure storage accounts.

Ensure that Microsoft Defender for Cloud is enabled for virtual machine (VM) servers.

Ensure that the monitoring of deprecated accounts is enabled.

Ensure that IP forwarding enabled on your Azure virtual machines (VMs) is being monitored.

Ensure that Vulnerability Assessment Periodic Recurring Scans are enabled for SQL database servers.

Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers.

Ensure that Microsoft Defender for Cloud recommendations are examined and resolved.

Ensure that Microsoft Defender for Cloud security alerts are examined and resolved.

Ensure that Adaptive Application controls isn't set to Disabled.

Ensure that Disk Encryption isn't set to Disabled.

Ensure that Endpoint protection isn't set to Disabled.

Ensure that the external accounts with write permissions are monitored using Azure Security Center.

Ensure that JIT Network Access isn't set to Disabled.

Ensure that Network Security Groups isn't set to Disabled.

Ensure that Security Configurations isn't set to Disabled

Ensure that SQL Auditing isn't set to Disabled

Ensure that SQL Encryption isn't set to Disabled.

Ensure that Storage Encryption isn't set to Disabled.

Ensure that System updates isn't set to Disabled.

Ensure that Vulnerability Assessment isn't set to Disabled.

Ensure that Web Application Firewall isn't set to Disabled.

Ensure that the total number of subscription owners within your Azure account is monitored.

Ensure that Next generation firewall isn't set to Disabled.

Ensure that a valid security contact email address is set.

Ensure that a valid security contact phone number is set.

Ensure that public network access to Azure Service Bus namespaces is disabled.

Ensure that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Service Bus namespaces.

Ensure that Azure SQL database servers are accessible via private endpoints only.

Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.

Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).

Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.

Configure Vulnerability Assessment scan reports and alerts via email for SQL database servers with classic configuration.

SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account.

Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.

Enable all types of threat detection for your Microsoft Azure SQL database servers.

Ensure that database auditing is enabled at the Azure SQL database server level.

Ensure that your Azure SQL database servers are configured to use auto-failover groups.

Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.

Configure Vulnerability Assessment to send email notifications to admins and subscription owners using the classic configuration (Not Scored).

Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.

Ensure that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs).

Ensure that Vulnerability Assessment Periodic Recurring Scans are enabled for SQL database servers (Not Scored).

Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers (Not Scored).

Ensure that "Minimum TLS version" is set to "TLS 1.2" for all Azure SQL managed instances.

Ensure that SQL database auditing has a sufficient log data retention period configured.

Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).

Ensure that an Microsoft Entra admin is configured for SQL authentication.

Ensure that Shared Access Signature (SAS) tokens are allowed only over the HTTPS protocol.

Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies.

Ensure that Azure Storage containers created to host static websites aren't publicly accessible.

Ensure that your Azure File Shares are configured with the "AES-256-GCM" SMB channel encryption algorithm.

Ensure that your Microsoft Azure File Shares are using the latest SMB protocol version.

Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data.

Ensure that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Storage accounts.

Ensure that anonymous access to blob containers is disabled to avoid sensitive data exposure.

Ensure that blob anonymous access is disabled at the storage account level to override any ACL configurations allowing public access.

Ensure that cross-tenant object replication is disabled for your Azure Storage accounts.

Ensure that public network access to Azure Storage accounts is disabled.

Ensure that "Allow storage account key access" setting is disabled to prevent Shared Key authorization.

Ensure that Azure Blob Storage service has a lifecycle management policy configured.

Ensure that geo-redundant storage is enabled for your Azure Storage accounts.

Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification.

Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts.

Ensure that storage logging is enabled for the Azure Storage Blob service.

Ensure that detailed storage logging is enabled for the Azure Storage Queue service.

Ensure that storage logging is enabled for the Azure Storage Table service.

Ensure that "Default to Microsoft Entra authorization in the Azure portal" setting is enabled for Azure Storage accounts.

Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration.

Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects.

Ensure that the Soft Delete feature is enabled for your Microsoft Azure File Shares.

Allow Trusted Microsoft Services to access your Azure Storage account resources.

Ensure that blob versioning is enabled for Microsoft Azure Storage accounts.

Ensure that Azure Storage account access is limited only to specific IP address(es).

Ensure that network access to Azure Storage accounts is allowed via private endpoints only.

Regenerate storage account access keys periodically to help keep your storage account secure.

Enforce "Deny" as the default network access rule for your Azure Storage accounts.

Ensure that Azure Storage Accounts with static website configuration are regularly reviewed (informational).

Ensure that your Shared Access Signature (SAS) tokens expire within an hour.

Use Customer Managed Keys (CMKs) to encrypt data within Azure Storage accounts.

Use customer-managed keys (CMKs) for Microsoft Azure Storage accounts encryption.

Ensure that Basic/Consumption SKU is not being used within your Azure cloud account.

Ensure there are budget alerts configured to warn about forthcoming budget overages within your Azure cloud account.

Ensure there is more than one owner assigned to your Microsoft Azure subscription.

To prevent certain resource types from being deployed ensure that "Not Allowed Resource Types" policy is assigned.

Restrict the usage of the 'User Access Administrator' role in your Azure cloud account.

Ensure that Transparent Data Encryption (TDE) is enabled for dedicated SQL pools in Azure Synapse Analytics.

Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied.

Ensure that all your Azure virtual machine instances are launched from approved machine images only.

Ensure that Azure Disk Encryption is enabled for Azure virtual machine boot volumes to protect data at rest.

Ensure that Azure Disk Encryption is enabled for Microsoft Azure virtual machines for non-boot volumes.

Ensure that Azure Disk Encryption is enabled for unattached Azure virtual machine disk volumes.

Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution.

Ensure that your virtual machine instances are of a given SKU size (e.g. Standard_A8_v2).

Identify and remove empty virtual machine scale sets from your Azure cloud account.

Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys.

Ensure there is a sufficient daily backup retention period configured for Azure virtual machines.

Ensure there is a sufficient instant restore retention period configured for Azure virtual machines.

Identify and remove unused load balancers from your Microsoft Azure cloud account.

Ensure that Azure virtual machine scale sets are configured for zone redundancy.

Ensure that Azure virtual machines are using Standard SSD disk volumes instead of Premium SSD volumes to optimize VM costs.

Avoid assigning public IP addresses to individual instances within your virtual machine scale set.

Ensure that Azure virtual machine scale sets don't assign public IP addresses.

Ensure that public network access to Azure virtual machine disks is disabled.

Ensure that Microsoft Azure virtual machines are configured to use accelerated networking.

Configure your Microsoft Azure virtual machines to automatically shut down on a daily basis.

Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs

Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets.

Ensure that autoscale notifications are enabled for Azure virtual machine scale sets.

Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs).

Ensure that Confidential Computing is enabled for Azure virtual machine (VM) instances.

Ensure that data access authentication mode is enabled for Azure virtual machine disks.

Ensure that Azure virtual machine disk volumes created for the app tier are encrypted.

Ensure that Azure virtual machine disk volumes deployed within the web tier are encrypted.

Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring.

Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets.

Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access.

Ensure that only MFA-enabled identities can access your Azure virtual machine (VM) instances.

Ensure that Azure virtual machines are configured to use the Performance Diagnostics tool.

Ensure that Azure virtual machines are configured to use system-assigned managed identities.

Ensure that Microsoft Azure virtual machines are configured to use the Trusted Launch feature.

Configure your Microsoft Azure virtual machines to use Microsoft Entra ID credentials for secure authentication.

Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature.

Ensure that the health of your Microsoft Azure scale set instances is being monitored.

Ensure that only approved extensions are installed on your Microsoft Azure virtual machines.

Ensure that endpoint protection is installed on your Microsoft Azure virtual machines.

Identify and remove old virtual machine disk snapshots in order to optimize cloud costs.

Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs

Ensure that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs).

Ensure that Azure VM data disk volumes are encrypted at rest using customer-managed keys (CMKs).

Ensure that unattached managed disk volumes are encrypted at rest using customer-managed keys (CMKs).

Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption.

Ensure that Customer Managed Keys are used to encrypt Virtual Hard Disk (VHD) volumes.

Ensure that your Microsoft Azure virtual machines are using managed disk volumes.