Microsoft® Azure best practice rules
Trend Cloud One™ – Conformity has over 1000+ cloud infrastructure configuration best practices for your Alibaba Cloud, Amazon Web Services, Microsoft® Azure, and Google Cloud™ environments. Here is our growing list of Azure best practice rules with clear instructions on how to perform the updates – made either through the Azure console or via the Command Line Interface (CLI).
Conformity provides real-time monitoring and auto-remediation for the security, compliance and governance of your cloud infrastructure. Leaving you to grow and scale your business with confidence.
-
AI Services
- Disable Public Network Access to OpenAI Service Instances
Ensure that public network access to OpenAI service instances is disabled.
- Enable Diagnostic Logs for OpenAI Service Instances
Ensure that Diagnostic Logs are enabled for your Azure OpenAI service instances.
- OpenAI Encryption using Customer-Managed Keys
Use Customer Managed Keys (CMKs) to encrypt Azure OpenAI service instances.
- OpenAI Service Instances with Admin Privileges
Ensure that Azure OpenAI service instances don't have administrative privileges.
- Regenerate API Access Keys for OpenAI Service Instances
Ensure that your Azure AI services API access keys are regularly rotated.
- Use Managed Identities for OpenAI Service Instances
Ensure that Azure OpenAI service instances are using managed identities.
- Use Private Endpoints for OpenAI Service Instances
Ensure that network access to OpenAI service instances is allowed via private endpoints only.
- Disable Public Network Access to OpenAI Service Instances
-
AKS
- Check for Kubernetes Version
Ensure that AKS clusters are using the latest available version of Kubernetes software.
- Cluster Disks Encrypted with Customer-Managed Keys
Use Customer-Managed Keys (CMKs) to encrypt Azure Kubernetes Service (AKS) cluster disks.
- Control Access to AKS Cluster Configuration File
Ensure that access to AKS cluster configuration file is controlled using Azure RBAC.
- Disable Public FQDN for Private AKS Clusters
Ensure that your private AKS clusters are not configured with a public FQDN.
- Enable Azure Role-Based Access Control (RBAC) for Kubernetes Authorization
Ensure that Azure Role-Based Access Control is enabled for Azure AKS clusters.
- Enable Backups for AKS Clusters
Ensure that Azure Backup service is configured to back up AKS clusters.
- Enable Defender for Cloud for AKS Clusters
Ensure that Microsoft Defender for Cloud is enabled for AKS clusters.
- Enable Federal Information Process Standard (FIPS) for AKS Cluster Node Pools
Enable Federal Information Process Standard (FIPS) for AKS cluster node pools to ensure compliance.
- Enable Image Cleaner for AKS Clusters
Enable Image Cleaner to clean up vulnerable stale images on your AKS clusters.
- Enable Image Integrity for AKS Clusters
Enable Image Integrity to ensure that your AKS clusters deploy only trusted images.
- Enable Kubernetes Role-Based Access Control
Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters.
- Enable Trusted Access for AKS Clusters
Enable Trusted Access to secure access for Azure cloud resources in Azure Kubernetes Service (AKS) clusters.
- Enable and Configure Node OS Auto-Upgrades
Enable and configure node OS auto-upgrades for Azure Kubernetes Service (AKS) clusters.
- Kubernetes API Version
Ensure that AKS clusters are using the latest version of Kubernetes API.
- Private Kubernetes Clusters
Ensure that your Azure Kubernetes Service (AKS) clusters are private.
- Rotate AKS Cluster Credentials
Ensure that your Azure Kubernetes Service (AKS) cluster credentials are regularly rotated.
- Secure Access to Kubernetes API Server Using Authorized IP Address Ranges
Ensure that public access to Kubernetes API server is restricted.
- Use Azure CNI Add-On for Managing Network Resources
Ensure that Azure Container Networking Interface (CNI) add-on is used for managing network resources.
- Use Azure Container Networking Interface (CNI) for AKS Clusters
Ensure that Azure CNI networking mode is configured for Azure Kubernetes clusters.
- Use Microsoft Entra ID Integration with Kubernetes RBAC
Ensure that Microsoft Entra ID integration with Kubernetes RBAC is enabled for Azure AKS clusters.
- Use Network Contributor Role for Managing Azure Network Resources
Ensure that AKS clusters are configured to use the Network Contributor role.
- Use Private Key Vaults for Encryption at Rest in Azure Kubernetes Service (AKS)
Ensure that Azure Kubernetes clusters are using a private Key Vault for secret data encryption.
- Use System-Assigned Managed Identities for AKS Clusters
Ensure that AKS clusters are using system-assigned managed identities.
- Use User-Assigned Managed Identities for AKS Clusters
Ensure that AKS clusters are using user-assigned managed identities.
- Check for Kubernetes Version
-
API Management
- Authorize Developer Accounts by Using Microsoft Entra ID
Ensure that user sign-in with Microsoft Entra ID is enabled for Azure API Management Developer Portal.
- Check the Cipher Suites Configured for API Gateways
Ensure that Azure API Management API gateways do not use weak cipher suites.
- Check the TLS Version Configured for API Gateways
Ensure that Azure API Management API gateways do not use deprecated TLS protocols.
- Disable Public Network Access to API Management Services with Private Endpoints
Ensure that Azure API Management services with private endpoints are not publicly exposed.
- Enable Built-In Response Caching
Ensure that Azure API Management APIs are configured to enforce built-in response caching.
- Enable Integration with Application Insights
Ensure that Azure API Management APIs are using Application Insights.
- Enable Resource Logs
Ensure that resource logs are enabled for Azure API Management API services.
- Enable Support for HTTP/2
Ensure that HTTP/2 support is enabled within Microsoft Azure API Management.
- Enforce HTTPS
Ensure that Azure API Management APIs are configured to enforce HTTPS for API calls.
- Prevent the Exposure of Credentials and Secrets using Encrypted Named Values
Ensure that named values are encrypted to prevent the exposure of secrets in Azure API Management.
- Secure access to APIs using client certificates
Ensure that Azure API Management services are configured to use client certificates.
- Unrestricted API Access
Ensure that no Azure API Management API allows unrestricted access.
- Use System-Assigned Managed Identities for Azure API Management Services
Ensure that Azure API Management services are using system-assigned managed identities.
- Use User-Assigned Managed Identities for Azure API Management Services
Ensure that Azure API Management services are using user-assigned managed identities.
- Authorize Developer Accounts by Using Microsoft Entra ID
-
Access Control
- Remove Custom Owner Roles
Ensure there are no custom owner roles within your Microsoft Azure cloud account.
- Resource Locking Administrator Role
Ensure that a resource locking administrator role is available for each Azure subscription.
- Subscription Administrator Custom Role
Ensure there are no custom subscription administrator roles within your Microsoft Azure cloud account.
- Remove Custom Owner Roles
-
Microsoft Entra ID
- Check for Microsoft Entra ID Guest Users
Ensure there are no Microsoft Entra ID guest users if they aren't needed.
- Enable "All Users" Group
Ensure that "All Users" group is enabled for centralized access management within your Microsoft Entra ID account.
- Enable Security Defaults
Ensure that Security Defaults is enabled for Microsoft Entra ID.
- Guest User Permissions Are Limited
Ensure that 'Guest user permissions are limited' is set to 'Yes' (Not Scored).
- Guests Can Invite
Ensure that 'Guests can invite' is set to 'No' (Not Scored).
- Members Can Invite
Ensure that 'Members can invite' is set to 'No' (Not Scored).
- Multi-factor Authentication For All Non-privileged Users
Ensure that multi-factor authentication is enabled for all non-privileged users (Not Scored).
- Multi-factor Authentication For All Privileged Users
Ensure that multi-factor authentication is enabled for all privileged users (Not Scored).
- Multi-factor Authentication On Devices
Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored)
- Notify All Admins When Other Admins Reset Their Password
Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' (Not Scored).
- Notify Users On Password Resets
Ensure that 'Notify users on password resets?' is set to 'Yes' (Not Scored).
- Number Of Days Before Authentication Information Re-confirmation
Ensure that 'Number of days before users are asked to re-confirm their authentication information' isn't set to '0' (Not Scored).
- Number Of Methods Required To Reset Password
Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' (Not Scored).
- Require Multi-Factor Auth To Join Devices
Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' (Not Scored).
- Restrict Access To Microsoft Entra ID Administration Portal
Ensure that 'Restrict access to Microsoft Entra ID administration portal' is set to 'Yes' (Not Scored).
- Restrict User Access to Microsoft Entra Group Features in Azure Access Panel
Ensure that the 'Restrict user ability to access groups features in the Access Panel' setting is set to 'Yes' (Not Scored).
- Self-service Group Management Enabled
Ensure that 'Self-service group management enabled' is set to 'No' (Not Scored)
- Users Can Add Gallery Apps To Their Access Panel
Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' (Not Scored).
- Users Can Consent To Apps Accessing Company Data On Their Behalf
Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' (Not Scored).
- Users Can Create Office 365 Groups
Ensure that 'Users can create Office 365 groups' is set to 'No' (Not Scored).
- Users Can Create Security Groups
Ensure that 'Users can create security groups' is set to 'No' (Not Scored).
- Users Can Register Applications
Ensure that 'Users can register applications' is set to 'No' (Not Scored).
- Users Who Can Manage Office 365 Groups
Ensure that 'Users who can manage Office 365 groups' is set to 'None' (Not Scored).
- Users Who Can Manage Security Groups
Ensure that 'Users who can manage security groups' is set to 'None' (Not Scored).
- Check for Microsoft Entra ID Guest Users
-
Activity Log
- Create Alert for "Create Policy Assignment" Events
Ensure that an activity log alert is created for the "Create Policy Assignment" events.
- Create Alert for "Create or Update Load Balancer" Events
Ensure that an activity log alert is created for "Create or Update Load Balancer" events.
- Create Alert for "Create or Update Public IP Address" Events
Ensure that activity log alerts are created for the "Create or Update Public IP Address" events.
- Create Alert for "Create or Update Security Solution" Events
Ensure that an activity log alert is created for the "Create/Update Security Solution" events.
- Create Alert for "Create or Update Virtual Machine" Events
Ensure that an activity log alert is created for "Create or Update Virtual Machine (Microsoft.Compute/virtualMachines)" events.
- Create Alert for "Create, Update or Delete SQL Server Firewall Rule" Events
Ensure that an activity log alert is created for the “Create/Update/Delete SQL Server Firewall Rule” events.
- Create Alert for "Create/Update Azure SQL Database" Events
Ensure that an activity log alert is created for "Create/Update Azure SQL Database" events.
- Create Alert for "Create/Update MySQL Database" Events
Ensure that an activity log alert is created for "Create/Update MySQL Database" events.
- Create Alert for "Create/Update Network Security Group Rule" Events
Ensure that an activity log alert is created for the "Create/Update Network Security Group Rule" events.
- Create Alert for "Create/Update Network Security Group" Events
Ensure that an activity log alert is created for the "Create/Update Network Security Group" events.
- Create Alert for "Create/Update PostgreSQL Database" Events
Ensure that an activity log alert is created for "Create/Update PostgreSQL Database" events.
- Create Alert for "Create/Update Storage Account" Events
Ensure there is an activity log alert created for the "Create/Update Storage Account" events.
- Create Alert for "Deallocate Virtual Machine" Events
Ensure that an activity log alert is created for the "Deallocate Virtual Machine (Microsoft.Compute/virtualMachines)" events.
- Create Alert for "Delete Azure SQL Database" Events
Ensure that an activity log alert is created for "Delete Azure SQL Database (Microsoft.Sql/servers/databases)" events.
- Create Alert for "Delete Key Vault" Events
Ensure there is an activity log alert created for the "Delete Key Vault" events.
- Create Alert for "Delete Load Balancer" Events
Ensure there is an Azure activity log alert created for "Delete Load Balancer" events.
- Create Alert for "Delete MySQL Database" Events
Ensure that an activity log alert is created for "Delete MySQL Database" events.
- Create Alert for "Delete Network Security Group Rule" Events
Ensure that an activity log alert is created for the "Delete Network Security Group Rule" events.
- Create Alert for "Delete Network Security Group" Events
Ensure that an activity log alert is created for the "Delete Network Security Group" events.
- Create Alert for "Delete Policy Assignment" Events
Ensure that an activity log alert is created for the "Delete Policy Assignment" events.
- Create Alert for "Delete PostgreSQL Database" Events
Ensure that an activity log alert is created for "Delete PostgreSQL Database" events.
- Create Alert for "Delete Public IP Address" Events
Ensure that activity log alerts are created for the "Delete Public IP Address" events.
- Create Alert for "Delete Security Solution" Events
Ensure that an activity log alert is created for the "Delete Security Solution" events.
- Create Alert for "Delete Storage Account" Events
Ensure that an activity log alert exists for "Delete Storage Account" events.
- Create Alert for "Delete Virtual Machine" Events
Ensure that an activity log alert exists for "Delete Virtual Machine" events.
- Create Alert for "Power Off Virtual Machine" Events
Ensure that an activity log alert exists for "Power Off Virtual Machine" events.
- Create Alert for "Rename Azure SQL Database" Events
Ensure that an activity log alert is created for "Rename Azure SQL Database" events.
- Create Alert for "Update Key Vault" Events
Ensure that an activity log alert is created for "Update Key Vault (Microsoft.KeyVault/vaults)" events.
- Create Alert for "Update Security Policy" Events
Ensure that an activity log alert is created for the "Update Security Policy" events.
- Create Alert for "Create Policy Assignment" Events
-
Advisor
- Check for Azure Advisor Recommendations
Ensure that Microsoft Azure Advisor recommendations are analyzed and implemented.
- Check for Azure Advisor Recommendations
-
AppService
- Check for Latest Version of .NET Framework
Enable HTTP to HTTPS redirects for your Microsoft Azure App Service web applications.
- Check for Latest Version of Java
Ensure that Azure App Service web applications are using the latest stable version of Java.
- Check for Latest Version of PHP
Ensure that Azure App Service web applications are using the latest version of PHP.
- Check for Latest Version of Python
Ensure that Azure App Service web applications are using the latest version of Python.
- Check for Sufficient Backup Retention Period
Ensure there is a sufficient backup retention period configured for Azure App Services applications.
- Check for TLS Protocol Latest Version
Ensure that Azure App Service web applications are using the latest version of TLS encryption.
- Check that Azure App is using the latest version of HTTP
Ensure that Azure App Service web applications are using the latest version of HTTP
- Check that the Azure App requests incoming client certificates
Ensure that your Azure App Service web applications requests a client certificate from incoming requests.
- Disable Plain FTP Deployment
Ensure that FTP access is disabled for your Azure App Services web applications.
- Disable Remote Debugging
Disable Remote Debugging feature for your Microsoft Azure App Services web applications.
- Enable Always On
Ensure that your Azure App Services web applications stay loaded all the time by enabling the Always On feature.
- Enable App Service Authentication
Ensure that App Service Authentication is enabled within your Microsoft Azure cloud account.
- Enable Application Insights
Ensure that Azure App Services applications are configured to use Application Insights feature.
- Enable Automated Backups
Ensure that all your Azure App Services applications are using the Backup and Restore feature.
- Enable FTPS-Only Access
Enable FTPS-only access for your Microsoft Azure App Services web applications.
- Enable HTTPS-Only Traffic
Enable HTTP to HTTPS redirects for your Microsoft Azure App Service web applications.
- Enable Health Checks
Ensure that your Azure App Service web applications are using health checks.
- Enable Registration with Microsoft Entra ID
Ensure that registration with Microsoft Entra ID is enabled for Azure App Service applications.
- Use Key Vaults to Store App Service Application Secrets
Ensure that Azure Key Vaults are used to store App Service application secrets.
- Check for Latest Version of .NET Framework
-
Container Apps
- Check for Azure Container Apps that Allow Insecure Traffic
Ensure that Microsoft Azure Container Apps are not configured to allow insecure connections.
- Disable Public Network Access
Ensure that public network access to Azure Container Apps is disabled.
- Enable Authentication and Authorization with Microsoft Entra ID
Enable authentication and authorization with Microsoft Entra ID.
- Enable Diagnostic Logs for Container Apps Environments
Ensure that Diagnostic Logs are enabled for Azure Container Apps environments.
- Enable HTTP/2 Only for Azure Container Apps
Ensure that HTTP/2 support is enabled for Microsoft Azure Container Apps.
- Enable Peer-to-Peer Encryption for Container Apps Environments
Ensure that peer-to-peer TLS encryption is enabled for Azure Container Apps environments.
- Enable and Configure Azure Container Apps Resiliency
Enable and configure Azure Container Apps resiliency using resiliency policies.
- Use Key Vaults to Store Azure Container App Secrets
Ensure that Azure Key Vaults are used to store Azure Container App secrets.
- Use Managed Identities for Azure Container Apps
Ensure that your Microsoft Azure Container Apps are using managed identities.
- Use TLS/SSL Certificates for Azure Container App Custom Domains
Ensure that Azure Container App custom domains are using TLS/SSL certificates.
- Check for Azure Container Apps that Allow Insecure Traffic
-
Container Registry
- Configure IP Network Rules for Container Registries
Ensure that IP network rules are configured for your Azure container registries.
- Container Registries Encrypted with Customer-Managed Keys
Use Customer-Managed Keys (CMKs) to encrypt your Azure Container Registry (ACR) data.
- Disable ARM Audience Token Authentication for Container Registries
Ensure that ARM audience token authentication is disabled for Azure container registries.
- Disable Public Network Access to Container Registries
Ensure that public network access to Azure container registries is disabled.
- Enable Diagnostic Logs for Container Registries
Ensure that Diagnostic Logs are enabled for your Azure container registries.
- Enable Soft Delete for Container Registries
Ensure that Soft Delete is enabled for your Microsoft Azure container registries.
- Enable Trusted Microsoft Service Access for Container Registries
Allow trusted Microsoft services to access your network-restricted container registries.
- Use Managed Identities for Azure Container Registries
Ensure that your Microsoft Azure container registries are using managed identities.
- Use Private Endpoints for Container Registries
Ensure that network access to Azure container registries is allowed via private endpoints only.
- Configure IP Network Rules for Container Registries
-
CosmosDB
- Enable Advanced Threat Protection
Ensure that Advanced Threat Protection is enabled for all Microsoft Azure Cosmos DB accounts.
- Enable Automatic Failover
Enable automatic failover for Microsoft Azure Cosmos DB accounts.
- Restrict Default Network Access for Azure Cosmos DB Accounts
Ensure that default network access (i.e. public access) is denied within your Azure Cosmos DB account configuration.
- Enable Advanced Threat Protection
-
Front Door
- Enable Web Application Firewall for Front Door Profiles
Enable Web Application Firewall (WAF) policies for Azure Front Door profiles.
- Minimum TLS Version
Ensure that the "Minimum TLS version" setting is set to "TLS 1.2" for all Azure Front Door custom domains.
- Use System-Assigned Managed Identities for Azure Front Door Profiles
Ensure that Azure Front Door profiles are using system-assigned managed identities.
- Enable Web Application Firewall for Front Door Profiles
-
Azure Functions
- Azure Function Access Keys
Ensure that your Microsoft Azure functions are using access keys.
- Azure Function Runtime Version
Ensure that your Azure functions are using the latest runtime version of the function host.
- Azure Functions with Admin Privileges
Ensure that your Azure functions are not configured with admin privileges.
- Disable Administrative Endpoints
Ensure that administrative endpoints are disabled for Microsoft Azure Function Apps.
- Disable Remote Debugging
Disable Remote Debugging for Microsoft Azure Function Apps to reduce the risk of exposure to sensitive data or potential attacks.
- Enable Integration with Application Insights
Ensure that Microsoft Azure functions are configured to use Application Insights feature.
- Enable Virtual Network Integration for Azure Functions
Ensure that Virtual Network integration is enabled for your Azure Function Apps.
- Exposed Azure Functions
Ensure that your Microsoft Azure functions are not publicly accessible.
- Minimum TLS Version
Ensure that the "Minimum Inbound TLS Version" setting is set to 1.2 or higher for all Azure Function Apps.
- Use Key Vaults to Store Azure Function App Secrets
Ensure that Azure Key Vaults are used to store Azure Function App secrets.
- Use Managed Identities for Azure Function Apps
Ensure that your Microsoft Azure Function Apps are using managed identities.
- Use Network Security Groups for Azure Function Apps
Ensure that your Microsoft Azure Function Apps are using Network Security Groups (NSGs).
- Use Private Endpoints for Azure Function Apps
Ensure that network access to Azure Function Apps is allowed via private endpoints only.
- Use System-Assigned Managed Identities for Azure Functions
Ensure that Azure functions are using system-assigned managed identities.
- Use User-Assigned Managed Identities for Azure Functions
Ensure that Azure functions are using user-assigned managed identities.
- Azure Function Access Keys
-
KeyVault
- App Tier Customer-Managed Key In Use
Ensure that a Customer-Managed Key is created for your Azure cloud application tier.
- Azure Key Vault Cross-Subscription Access
Ensure that Azure key vaults don't allow unknown cross-subscription access.
- Check for Allowed Certificate Key Types
Ensure that Azure Key Vault certificates are using the appropriate key type(s).
- Check for Azure Key Vault Keys Expiration Date
Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date.
- Check for Azure Key Vault Secrets Expiration Date
Ensure that your Azure Key Vault secrets are renewed prior to their expiration date.
- Check for Certificate Minimum Key Size
Ensure that Azure Key Vault RSA certificates are using the appropriate key size.
- Check for Key Vault Full Administrator Permissions
Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults.
- Check for Sufficient Certificate Auto-Renewal Period
Ensure there is a sufficient period configured for the SSL certificates auto-renewal.
- Database Tier Customer-Managed Key In Use
Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud database tier.
- Enable AuditEvent Logging for Azure Key Vaults
Ensure that logging for Azure KeyVault is 'Enabled'
- Enable Certificate Transparency
Ensure that certificate transparency is enabled for all your Azure Key Vault certificates.
- Enable Key Vault Recoverability
Ensure that your Microsoft Azure Key Vault instances are recoverable.
- Enable SSL Certificate Auto-Renewal
Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates.
- Enable Trusted Microsoft Services for Key Vault Access
Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. encryption keys, secrets and certificates).
- Restrict Default Network Access for Azure Key Vaults
Ensure that default network access (i.e. public access) rule is set to "Deny" within your Azure Key Vaults configuration.
- Set Azure Secret Key Expiration
Ensure that an expiration date is set for all your Microsoft Azure secret keys.
- Set Encryption Key Expiration
Ensure that an expiration date is configured for all your Microsoft Azure encryption keys.
- Web Tier Customer-Managed Key In Use
Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier.
- App Tier Customer-Managed Key In Use
-
Locks
- Enable Azure Resource Locks
Ensure that resource locks are enabled for your high-impact Microsoft Azure resources.
- Enable Azure Resource Locks
-
Machine Learning
- Enable Diagnostic Logs for Machine Learning Workspaces
Ensure that Diagnostic Logs are enabled for your Azure Machine Learning workspaces.
- Enable High Business Impact for Machine Learning Workspaces
Enable High Business Impact feature for your Azure Machine Learning workspaces.
- Enable Managed Virtual Network Isolation with Internet Outbound Access
Ensure that managed VNet isolation with Internet outbound access is enabled for your Azure Machine Learning workspaces.
- Enable Network Isolation for Azure Machine Learning Registries
Ensure that network isolation is enabled for your Azure Machine Learning registries.
- Machine Learning Workspace Encryption using Customer-Managed Keys
Use Customer Managed Keys (CMKs) to encrypt Azure Machine Learning workspaces.
- Use System-Assigned Managed Identities for Azure Machine Learning Workspaces
Ensure that Azure Machine Learning workspaces are using system-assigned managed identities.
- Enable Diagnostic Logs for Machine Learning Workspaces
-
Monitor
- Activity Log All Activities
Ensure audit profile captures all the activities.
- Activity Log All Regions (Deprecated)
Ensure that Azure Log Profile is configured to capture activity logs for all regions.
- Activity Log Retention (Deprecated)
Ensure that Azure activity log retention period is set for 365 days or greater.
- Activity Log Storage Encryption with Customer-Managed Key
Use Customer-Managed Keys (CMKs) for Azure activity log storage container encryption.
- Azure Activity Log Profile in Use (Deprecated)
Ensure that a Log Profile exists for each subscription available in your Azure account.
- Check for Publicly Accessible Activity Log Storage Container
Ensure that the Azure storage container storing the activity logs isn't publicly accessible
- Configure Application Insights
Ensure that an Application Insights resource is created within your Azure cloud account.
- Configure Diagnostic Setting Categories
Ensure that the diagnostic settings are configured to capture the appropriate categories.
- Enable Diagnostic Logs for the Supported Resources
Ensure that Diagnostic Logs are enabled for the supported Azure cloud resources.
- Enable Exporting Activity Logs for Azure Cloud Resources
Ensure that exporting activity logs is enabled for each cloud resource within a subscription.
- Enable Subscription Activity Log Diagnostic Settings
Ensure that Azure Monitor Activity Logs for subscriptions are exported via diagnostic settings.
- Activity Log All Activities
-
MySQL
- Configure TLS Version for MySQL Flexible Database Servers
Ensure that the 'tls_version' parameter is set to a minimum of 'TLSV1.2' for all MySQL flexible database servers.
- Enable In-Transit Encryption for MySQL Servers
Ensure that in-transit encryption is enabled for your Azure MySQL database servers.
- Configure TLS Version for MySQL Flexible Database Servers
-
Network
- Bastion Host in Use
Ensure that Azure Bastion service is used within your Microsoft Azure cloud account.
- Check for NSG Flow Log Retention Period
Ensure that Network Security Group (NSG) flow log retention period is greater than or equal to 90 days.
- Check for Network Security Groups with Port Ranges
Ensure there are no network security groups with range of ports opened to allow incoming traffic.
- Check for Unrestricted CIFS Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 445 (Common Internet File System – CIFS).
- Check for Unrestricted DNS Access
Ensure that no network security groups allow unrestricted inbound access on TCP and UDP port 53.
- Check for Unrestricted FTP Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 20 and 21 (File Transfer Protocol – FTP).
- Check for Unrestricted HTTP Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 80.
- Check for Unrestricted HTTPS Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 443.
- Check for Unrestricted ICMP Access
Ensure that no network security groups allow unrestricted inbound access using Internet Control Message Protocol (ICMP).
- Check for Unrestricted Inbound TCP or UDP Access on Selected Ports
Ensure that no network security groups allow unrestricted inbound access via TCP or UDP on selected ports.
- Check for Unrestricted MS SQL Server Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 1433 (Microsoft SQL Server).
- Check for Unrestricted MSSQL Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 1433.
- Check for Unrestricted MongoDB Access
Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019.
- Check for Unrestricted MySQL Database Access
Ensure that no network security groups allow unrestricted ingress access on TCP port 3306 (MySQL Database).
- Check for Unrestricted NetBIOS Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS).
- Check for Unrestricted Oracle Database Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database).
- Check for Unrestricted PostgreSQL Database Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server).
- Check for Unrestricted RDP Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol – RDP).
- Check for Unrestricted RPC Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 135 (Remote Procedure Call – RPC).
- Check for Unrestricted SMTP Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 25.
- Check for Unrestricted SSH Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 22 (SSH).
- Check for Unrestricted Telnet Access
Ensure that no network security groups allow unrestricted inbound access on TCP port 23.
- Check for Unrestricted UDP Access
Ensure that no network security groups allow unrestricted inbound access on UDP ports.
- Enable Azure Network Watcher
Ensure that Network Watcher is enabled within your Microsoft Azure account subscription.
- Enable DDoS Standard Protection for Virtual Networks
Ensure that DDoS standard protection is enabled for production Azure virtual networks.
- Monitor Network Security Group Configuration Changes
Network security group changes have been detected in your Microsoft Azure cloud account.
- Review Network Interfaces with IP Forwarding Enabled
Ensure that the Azure network interfaces with IP forwarding enabled are regularly reviewed.
- Bastion Host in Use
-
Policy
- Policy Assignment Created
Policy assignment changes have been detected in your Microsoft Azure cloud account.
- Policy Assignment Created
-
PostgreSQL
- Check for PostgreSQL Log Retention Period
Ensure that PostgreSQL database servers have a sufficient log retention period configured.
- Check for PostgreSQL Major Version
Ensure that PostgreSQL database servers are using the latest major version of PostgreSQL database.
- Disable "Allow access to Azure services" for PostgreSQL database servers
Ensure that any access from Azure services to Azure PostgreSQL database servers is disabled.
- Enable "CONNECTION_THROTTLING" Parameter for PostgreSQL Servers
Ensure that "connection_throttling" parameter is set to "ON" within your Azure PostgreSQL server settings.
- Enable "LOG_CHECKPOINTS" Parameter for PostgreSQL Servers
Enable "log_checkpoints" parameter for your Microsoft Azure PostgreSQL database servers.
- Enable "LOG_CONNECTIONS" Parameter for PostgreSQL Servers
Enable "log_connections" parameter for your Microsoft Azure PostgreSQL database servers.
- Enable "LOG_DISCONNECTIONS" Parameter for PostgreSQL Servers
Enable "log_disconnections" parameter for your Microsoft Azure PostgreSQL database servers.
- Enable "LOG_DURATION" Parameter for PostgreSQL Servers
Enable "log_duration" parameter on your Microsoft Azure PostgreSQL database servers.
- Enable "log_checkpoints" Parameter for PostgreSQL Flexible Servers
Enable "log_checkpoints" parameter for your Microsoft Azure PostgreSQL flexible database servers.
- Enable Geo-Redundant Backups
Ensure that geo-redundant backups are enabled for your Azure PostgreSQL database servers.
- Enable In-Transit Encryption for PostgreSQL Database Servers
Ensure that in-transit encryption is enabled for your Azure PostgreSQL database servers.
- Enable Infrastructure Double Encryption for Single Servers
Ensure that infrastructure double encryption is enabled for Single Server Azure PostgreSQL database servers.
- Enable Storage Auto-Growth
Ensure that storage auto-growth is enabled for your Microsoft Azure PostgreSQL database servers.
- Use Microsoft Entra Admin for PostgreSQL Authentication
Ensure that an Microsoft Entra admin is configured for PostgreSQL authentication.
- Check for PostgreSQL Log Retention Period
-
Recovery Services
- Enable Email Notifications for Backup Alerts
Ensure that email notifications are enabled for virtual machine (VM) backup alerts.
- Enable Email Notifications for Backup Alerts
-
Redis Cache
- Check for TLS Protocol Latest Version
Ensure that Azure Redis Cache servers are using the latest version of the TLS protocol.
- Enable In-Transit Encryption for Redis Cache Servers
Ensure that in-transit encryption is enabled for all Microsoft Azure Redis Cache servers.
- Check for TLS Protocol Latest Version
-
Resources
- Tags
Ensure there is a tagging strategy in use for identifying and organizing Azure resources by name, purpose, environment, and other criteria.
- Tags
-
Search
- Enable System-Assigned Managed Identities
Ensure that Azure Search Service instances are configured to use system-assigned managed identities.
- Enable System-Assigned Managed Identities
-
Defender
- Configure Additional Email Addresses for Azure Security Center Notifications
Ensure that additional email addresses are provided to receive security notifications.
- Detect Create, Update or Delete Security Solution Events
Security solution changes have been detected within your Microsoft Azure cloud account.
- Detect Update Security Policy Event
Azure security policy changes have been detected within your Microsoft Azure cloud account.
- Email Notification for Alerts
Ensure that Email Notification for Alerts is set to On.
- Email To Subscription Owners
Ensure that Send email also to subscription owners is set to On.
- Enable All Parameters for Microsoft Defender for Cloud Default Policy
Ensure that all the parameters supported by Microsoft Defender for Cloud default policy are enabled.
- Enable Automatic Provisioning of Microsoft Defender for Containers Components
Ensure that automatic provisioning of security components is enabled for Azure containers.
- Enable Automatic Provisioning of Vulnerability Assessment for Virtual Machines
Ensure that automatic provisioning of vulnerability assessment solutions is enabled for virtual machines.
- Enable Automatic Provisioning of the Monitoring Agent
Ensure that "Automatic provisioning of monitoring agent" feature is enabled to enhance security at the virtual machine (VM) level.
- Enable DDoS Protection Standard Monitoring for Public Virtual Networks
Ensure that monitoring of DDoS protection at the Azure virtual network level is enabled.
- Enable Defender Auto Provisioning Extensions
Enable the automatic provisioning of extensions for Microsoft Defender for Cloud in your Azure subscriptions.
- Enable Defender for APIs
Ensure that Defender for APIs is enabled for Azure API Management services.
- Enable Defender for Endpoint Integration with Microsoft Defender for Cloud
Ensure that Defender for Endpoint – Defender for Cloud integration is enabled.
- Enable High Severity Email Notifications
Ensure that Email Notification for Alerts is set to On.
- Enable Microsoft Defender Standard Pricing Tier
Ensure that Microsoft Defender for Cloud standard pricing tier is enabled in your Azure account.
- Enable Microsoft Defender for Cloud Apps Integration
Ensure that Microsoft Defender for Cloud Apps integration is enabled.
- Enable Microsoft Defender for Cloud for App Service Instances
Ensure that Microsoft Defender for Cloud is enabled for Azure App Service instances.
- Enable Microsoft Defender for Cloud for Azure Containers
Ensure that Microsoft Defender for Cloud is enabled for Azure containers.
- Enable Microsoft Defender for Cloud for Azure SQL Database Servers
Ensure that Microsoft Defender for Cloud is enabled for SQL database servers.
- Enable Microsoft Defender for Cloud for Key Vaults
Ensure that Microsoft Defender for Cloud is enabled for Azure key vault resources.
- Enable Microsoft Defender for Cloud for SQL Server Virtual Machines
Ensure that Microsoft Defender for Cloud is enabled for SQL Server virtual machines.
- Enable Microsoft Defender for Cloud for Storage Accounts
Ensure that Microsoft Defender for Cloud is enabled for Azure storage accounts.
- Enable Microsoft Defender for Cloud for Virtual Machines
Ensure that Microsoft Defender for Cloud is enabled for virtual machine (VM) servers.
- Enable Monitoring of Deprecated Accounts
Ensure that the monitoring of deprecated accounts is enabled.
- Enable Virtual Machine IP Forwarding Monitoring
Ensure that IP forwarding enabled on your Azure virtual machines (VMs) is being monitored.
- Enable Vulnerability Assessment Periodic Recurring Scans
Ensure that Vulnerability Assessment Periodic Recurring Scans are enabled for SQL database servers.
- Enable Vulnerability Assessment for Microsoft SQL Servers
Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers.
- Microsoft Defender for Cloud Recommendations
Ensure that Microsoft Defender for Cloud recommendations are examined and resolved.
- Microsoft Defender for Cloud Security Alerts
Ensure that Microsoft Defender for Cloud security alerts are examined and resolved.
- Monitor Adaptive Application Safelisting
Ensure that Adaptive Application controls isn't set to Disabled.
- Monitor Disk Encryption
Ensure that Disk Encryption isn't set to Disabled.
- Monitor Endpoint Protection
Ensure that Endpoint protection isn't set to Disabled.
- Monitor External Accounts with Write Permissions
Ensure that the external accounts with write permissions are monitored using Azure Security Center.
- Monitor JIT Network Access
Ensure that JIT Network Access isn't set to Disabled.
- Monitor Network Security Groups
Ensure that Network Security Groups isn't set to Disabled.
- Monitor OS Vulnerabilities
Ensure that Security Configurations isn't set to Disabled
- Monitor SQL Auditing
Ensure that SQL Auditing isn't set to Disabled
- Monitor SQL Encryption
Ensure that SQL Encryption isn't set to Disabled.
- Monitor Storage Blob Encryption
Ensure that Storage Encryption isn't set to Disabled.
- Monitor System Updates
Ensure that System updates isn't set to Disabled.
- Monitor Vulnerability Assessment
Ensure that Vulnerability Assessment isn't set to Disabled.
- Monitor Web Application Firewall
Ensure that Web Application Firewall isn't set to Disabled.
- Monitor the Total Number of Subscription Owners
Ensure that the total number of subscription owners within your Azure account is monitored.
- Next Generation Firewall(NGFW) Monitoring
Ensure that Next generation firewall isn't set to Disabled.
- Security Contact Emails
Ensure that a valid security contact email address is set.
- Security Contact Phone Number
Ensure that a valid security contact phone number is set.
- Configure Additional Email Addresses for Azure Security Center Notifications
-
Service Bus
- Disable Public Network Access to Service Bus Namespaces
Ensure that public network access to Azure Service Bus namespaces is disabled.
- Minimum TLS Version
Ensure that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Service Bus namespaces.
- Disable Public Network Access to Service Bus Namespaces
-
Sql
- Check for Publicly Accessible SQL Servers
Ensure that Azure SQL database servers are accessible via private endpoints only.
- Check for Sufficient Point in Time Restore (PITR) Backup Retention Period
Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases.
- Check for Unrestricted SQL Database Access
Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address).
- Configure "AuditActionGroup" for SQL Server Auditing
Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level.
- Configure Emails for Classic Vulnerability Assessment Scan Reports and Alerts
Configure Vulnerability Assessment scan reports and alerts via email for SQL database servers with classic configuration.
- Detect Create, Update, and Delete SQL Server Firewall Rule Events
SQL Server firewall rule changes have been detected in your Microsoft Azure cloud account.
- Enable Advanced Data Security for SQL Servers
Ensure that Advanced Data Security (ADS) is enabled at the Azure SQL database server level.
- Enable All Types of Threat Detection on SQL Servers
Enable all types of threat detection for your Microsoft Azure SQL database servers.
- Enable Auditing for SQL Servers
Ensure that database auditing is enabled at the Azure SQL database server level.
- Enable Auto-Failover Groups
Ensure that your Azure SQL database servers are configured to use auto-failover groups.
- Enable Automatic Tuning for SQL Database Servers
Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers.
- Enable Classic Vulnerability Assessment Email Notifications for Admins and Subscription Owners
Configure Vulnerability Assessment to send email notifications to admins and subscription owners using the classic configuration (Not Scored).
- Enable Transparent Data Encryption for SQL Databases
Ensure that Transparent Data Encryption (TDE) is enabled for every Azure SQL database.
- Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys
Ensure that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs).
- Enable Vulnerability Assessment Periodic Recurring Scans
Ensure that Vulnerability Assessment Periodic Recurring Scans are enabled for SQL database servers (Not Scored).
- Enable Vulnerability Assessment for Microsoft SQL Servers
Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers (Not Scored).
- Minimum TLS Version
Ensure that "Minimum TLS version" is set to "TLS 1.2" for all Azure SQL managed instances.
- SQL Auditing Retention
Ensure that SQL database auditing has a sufficient log data retention period configured.
- Use BYOK for Transparent Data Encryption
Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE).
- Use Microsoft Entra Admin for SQL Authentication
Ensure that an Microsoft Entra admin is configured for SQL authentication.
- Check for Publicly Accessible SQL Servers
-
Storage Accounts
- Allow Shared Access Signature Tokens Over HTTPS Only
Ensure that Shared Access Signature (SAS) tokens are allowed only over the HTTPS protocol.
- Check for Overly Permissive Stored Access Policies
Ensure that Azure Storage shared access signature (SAS) tokens are not using overly permissive access policies.
- Check for Publicly Accessible Web Containers
Ensure that Azure Storage containers created to host static websites aren't publicly accessible.
- Check for Sufficient Soft Deleted Data Retention Period
Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data.
- Configure Minimum TLS Version
Ensure that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Storage accounts.
- Disable Anonymous Access to Blob Containers
Ensure that anonymous access to blob containers is disabled within your Azure Storage account.
- Disable Cross-Tenant Object Replication
Ensure that cross-tenant object replication is disabled for your Azure Storage accounts.
- Disable public access to storage accounts with blob containers
Ensure that public access to blob containers is disabled for your Azure storage accounts to override any ACL configurations allowing access.
- Enable Blob Storage Lifecycle Management
Ensure that Azure Blob Storage service has a lifecycle management policy configured.
- Enable Immutable Blob Storage
Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification.
- Enable Infrastructure Encryption
Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts.
- Enable Logging for Azure Storage Blob Service
Ensure that storage logging is enabled for the Azure Storage Blob service.
- Enable Logging for Azure Storage Queue Service
Ensure that detailed storage logging is enabled for the Azure Storage Queue service.
- Enable Logging for Azure Storage Table Service
Ensure that storage logging is enabled for the Azure Storage Table service.
- Enable Secure Transfer in Azure Storage
Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration.
- Enable Soft Delete for Azure Blob Storage
Ensure that Soft Delete feature is enabled for your Microsoft Azure Storage blob objects.
- Enable Trusted Microsoft Services for Storage Account Access
Allow Trusted Microsoft Services to access your Azure Storage account resources.
- Limit Storage Account Access by IP Address
Ensure that Azure Storage account access is limited only to specific IP address(es).
- Private Endpoint in Use
Ensure that private endpoints are used to access Microsoft Azure Storage accounts.
- Regenerate Storage Account Access Keys Periodically
Regenerate storage account access keys periodically to help keep your storage account secure.
- Restrict Default Network Access for Storage Accounts
Ensure that the default network access rule is set to "Deny" within your Azure Storage account.
- Review Storage Accounts with Static Website Configuration
Ensure that Azure Storage Accounts with static website configuration are regularly reviewed (informational).
- Shared Access Signature Tokens Expire Within An Hour
Ensure that your Shared Access Signature (SAS) tokens expire within an hour.
- Storage Account Encryption using Customer Managed Keys
Use Customer Managed Keys (CMKs) to encrypt data within Azure Storage accounts.
- Use BYOK for Storage Account Encryption
Use customer-managed keys (CMKs) for Microsoft Azure Storage accounts encryption.
- Allow Shared Access Signature Tokens Over HTTPS Only
-
Subscriptions
- Basic/Consumption SKU Should not be Used in Production
Ensure that Basic/Consumption SKU is not being used within your Azure cloud account.
- Check for Azure Cloud Budget Alerts
Ensure there are budget alerts configured to warn about forthcoming budget overages within your Azure cloud account.
- Check for the Number of Subscription Owners
Ensure there is more than one owner assigned to your Microsoft Azure subscription.
- Ensure "Not Allowed Resource Types" Policy Assignment in Use
To prevent certain resource types from being deployed ensure that "Not Allowed Resource Types" policy is assigned.
- Basic/Consumption SKU Should not be Used in Production
-
Synapse
- Enable Transparent Data Encryption for Azure Synapse Analytics Dedicated SQL Pools
Ensure that Transparent Data Encryption (TDE) is enabled for dedicated SQL pools in Azure Synapse Analytics.
- Enable Transparent Data Encryption for Azure Synapse Analytics Dedicated SQL Pools
-
Virtual Machines
- Apply Latest OS Patches
Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied.
- Approved Azure Machine Image in Use
Ensure that all your Azure virtual machine instances are launched from approved machine images only.
- Azure Disk Encryption for Boot Disk Volumes
Ensure that Azure Disk Encryption is enabled for Azure virtual machine boot volumes to protect data at rest.
- Azure Disk Encryption for Non-Boot Disk Volumes
Ensure that Azure Disk Encryption is enabled for Microsoft Azure virtual machines for non-boot volumes.
- Azure Disk Encryption for Unattached Disk Volumes
Ensure that Azure Disk Encryption is enabled for unattached Azure virtual machine disk volumes.
- Check for Associated Load Balancers
Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution.
- Check for Desired VM SKU Size(s)
Ensure that your virtual machine instances are of a given SKU size (e.g. Standard_A8_v2).
- Check for Empty Virtual Machine Scale Sets
Identify and remove empty virtual machine scale sets from your Azure cloud account.
- Check for SSH Authentication Type
Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys.
- Check for Sufficient Daily Backup Retention Period
Ensure there is a sufficient daily backup retention period configured for Azure virtual machines.
- Check for Sufficient Instant Restore Retention Period
Ensure there is a sufficient instant restore retention period configured for Azure virtual machines.
- Check for Unused Load Balancers
Identify and remove unused load balancers from your Microsoft Azure cloud account.
- Check for Zone-Redundant Virtual Machine Scale Sets
Ensure that Azure virtual machine scale sets are configured for zone redundancy.
- Disable Premium SSD
Ensure that Azure virtual machines are using Standard SSD disk volumes instead of Premium SSD volumes to optimize VM costs.
- Disable Public IP Address Assignment for VMSS Instances
Avoid assigning public IP addresses to individual instances within your virtual machine scale set.
- Disable Public IP Address Assignment for Virtual Machine Scale Sets
Ensure that Azure virtual machine scale sets don't assign public IP addresses.
- Enable Accelerated Networking for Virtual Machines
Ensure that Microsoft Azure virtual machines are configured to use accelerated networking.
- Enable Auto-Shutdown
Configure your Microsoft Azure virtual machines to automatically shut down on a daily basis.
- Enable Automatic Instance Repairs
Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs
- Enable Automatic OS Upgrades
Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets.
- Enable Autoscale Notifications
Ensure that autoscale notifications are enabled for Azure virtual machine scale sets.
- Enable Backups for Azure Virtual Machines
Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs).
- Enable Encryption for App-Tier Disk Volumes
Ensure that Azure virtual machine disk volumes created for the app tier are encrypted.
- Enable Encryption for Web-Tier Disk Volumes
Ensure that Azure virtual machine disk volumes deployed within the web tier are encrypted.
- Enable Guest-Level Diagnostics for Virtual Machines
Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring.
- Enable Instance Termination Notifications for Virtual Machine Scale Sets
Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets.
- Enable Just-In-Time Access for Virtual Machines
Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access.
- Enable MFA for Privileged Identities with Access to Virtual Machines
Ensure that only MFA-enabled identities can access your Azure virtual machine (VM) instances.
- Enable Performance Diagnostics for Azure Virtual Machines
Ensure that Azure virtual machines are configured to use the Performance Diagnostics tool.
- Enable System-Assigned Managed Identities
Ensure that Azure virtual machines are configured to use system-assigned managed identities.
- Enable Trusted Launch for Virtual Machines
Ensure that Microsoft Azure virtual machines are configured to use the Trusted Launch feature.
- Enable Virtual Machine Access using Microsoft Entra ID Authentication
Configure your Microsoft Azure virtual machines to use Microsoft Entra ID credentials for secure authentication.
- Enable Virtual Machine Boot Diagnostics
Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature.
- Enable and Configure Health Monitoring
Ensure that the health of your Microsoft Azure scale set instances is being monitored.
- Install Approved Extensions Only
Ensure that only approved extensions are installed on your Microsoft Azure virtual machines.
- Install Endpoint Protection
Ensure that endpoint protection is installed on your Microsoft Azure virtual machines.
- Remove Old Virtual Machine Disk Snapshots
Identify and remove old virtual machine disk snapshots in order to optimize cloud costs.
- Remove Unattached Virtual Machine Disk Volumes
Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs
- Server Side Encryption for Boot Disk using CMK
Ensure that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs).
- Server Side Encryption for Non-Boot Disk using CMK
Ensure that Azure VM data disk volumes are encrypted at rest using customer-managed keys (CMKs).
- Server Side Encryption for Unattached Disk using CMK
Ensure that unattached managed disk volumes are encrypted at rest using customer-managed keys (CMKs).
- Use BYOK for Disk Volumes Encryption
Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption.
- Use Customer Managed Keys for Virtual Hard Disk Encryption
Ensure that Customer Managed Keys are used to encrypt Virtual Hard Disk (VHD) volumes.
- Use Managed Disk Volumes for Virtual Machines
Ensure that your Microsoft Azure virtual machines are using managed disk volumes.
- Apply Latest OS Patches